Security News Survey – June 7, 2019

This week, we look at a major healthcare billion agency security breach, yet another unsecured database, and a $72 million breach settlement.

It’s been a tough week for healthcare cybersecurity, with several large medical organizations grappling with new and old data breaches. Let’s start by taking a look at a new data breach impacting a combined total of 20 million individuals.

Billing agency breach impacts 20 million customers of prominent medical labs

A Fortune 500 clinical laboratory Quest Diagnostics revealed early this week that personal information of 11.9 million customers may have been compromised in a data breach between August 1, 2018, and March 30, 2019. According to the company, the breach stemmed from a third-party partner, American Medical Collection Agency (AMCA), who detected unauthorized access to systems containing personal information as well as limited medical and financial information of customers. Compromised data included Social Security numbers but, thankfully, no test results.

Unfortunately, Quest Diagnostics isn’t the only major clinical lab impacted by the AMCA data breach. North Carolina-based LabCorp revealed in a filing with the Securities and Exchange Commission that it has also been affected, with personal and financial information of roughly 7.7 million patients compromised. The filing listed impacted data like names, dates of birth, addresses, service dates, provider, payment balance, and—most frustratingly—credit card and bank information. LabCorp claims no medical or lab data was affected. The company suffered a network security breach in the summer of last year.

AMCA is in the process of notifying individuals whose credit card or bank information was compromised. For those affected, security experts are recommending accepting identity protection services (which AMCA is likely to offer), keeping an eye on credit card statements from the breach time period, and reviewing a current credit report.

Of course, AMCA services more than just Quest Diagnostics and LabCorp, so we can expect to hear more from this data breach in the coming days or weeks.

Unsecured UChicago Medicine database exposes 1.7 million patient records

The University of Chicago Medicine ran into a major security emergency this week when a researcher discovered an unsecured database belonging to the organization and containing nearly 1.7 million records. The Elasticsearch database was discovered at the end of last month and housed around 34GB worth of records containing sensitive information like names, dates of birth, addresses, gender, financial status, physician names and locations, and more. UChicago sprang to action when notified and secured the database within 48 hours. The organization announced it is completing a forensic investigation, but initial results suggest that no unauthorized parties accessed the database while it was public.

Premera Blue Cross agrees to $72 million data breach settlement

Premera Blue Cross, the Pacific Northwest’s largest health insurance provider, has agreed to pay a whopping $72 million in a settlement resolving a class-action lawsuit surrounding a 2014 data breach that compromised the information of around 10.6 million customers. The deal stipulates a payment of $42 million towards security and business practice improvements, and $32 million toward monetary compensation (identity and credit services, as well as financial compensation) of the class-action participants as well as legal fees. The company has committed to an extensive overhaul of its security practices, including measures around encryption, protected environments, two-factor authentication, regular audits, as well as hiring a Chief Information Security Officer and establishing a security operations center (SOC). For a company of its size and nature, the creation of a SOC is long overdue.