High-profile data breaches underline cyber threats to health care industry

The recent breach of a billing collection provider for blood testing groups Quest Diagnostics and LabCorp are underlining the serious threats posed to the health care sector from cyberattacks.

The breach allowed an unauthorized user to access the personal data of almost 12 million Quest patients, including Social Security numbers and financial records, after the hacker broke through the system of American Medical Collection Agency (AMCA), a billing collection provider for Quest. 

{mosads}LabCorp revealed Wednesday that it, too, was impacted, with the records of 7.7 million of its patients compromised by the data breach of the AMCA’s systems.

A handful of Democratic senators have already announced they are looking into the breaches.

Sens. Cory Booker (D-N.J.) and Bob Menendez (D-N.J.) sent letters to both Quest and LabCorp on Wednesday demanding answers, and seeking security measures to lessen the blow to patients. 

Booker and Menendez noted in a letter to LabCorp that “this isn’t the first time” the company has “come under scrutiny due to information security concerns,” adding that “the company has both the knowledge and responsibility to heighten information security standards and processes to better protect the patients it serves.”

The letter asks both companies to respond by June 14. Neither company immediately replied to a request for comment from The Hill.

Sen. Mark Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, also sent a letter to Quest on Wednesday asking questions about the breach.

A spokesperson for Warner declined to comment on the letter, but pointed to the senator’s efforts to resolve gaps in the cybersecurity of the health care industry, including seeking information from key federal agencies and health groups earlier this year.

The next steps around this issue could come though legislation.

A spokesperson for Menendez told The Hill on Thursday that while the senator already has legislation that aims to protect citizens’ personal information, he is “exploring additional steps” on securing medical data following the breaches.

Menendez introduced the Consumer Data Protection Act and the Commercial Privacy Bill of Rights in the previous Congress, which aims to secure consumer personal data and hold businesses accountable for data breaches. 

The bills have not yet been reintroduced in the current Congress, but the spokesperson for Menendez said the senator may assess if the language is “sufficient” to address the threats to the health industry from data breaches. 

“Fair to say that the senator is exploring several legislative options,” the spokesperson said. “What is undeniable is that these massive data breaches are becoming all too common, and consumers need to know that their information is in safe hands.”

Tom Kellermann, the chief cybersecurity officer for cyber group Carbon Black, stressed to The Hill the need for federal lawmakers to secure health care data and health systems in general.

“The lack of security in the health care sector will inevitably impact the security of all Americans,” Kellermann said. “Congress needs to step in immediately.”

Kellermann said that current health care sector federal standards would “test your blood pressure” in an industry that should be “conducting MRIs and blood tests.”

He also emphasized that cyber threats to the health care sector are nothing new, and are among the most critical of threats online due to the ability for cyberattacks to physically harm a patient through medical devices connected to the internet, or hospital systems that go down, preventing surgeries.

These issues were underlined this week by a report from Carbon Black, which did not paint a positive picture of the security of the health care industry.

The report found that two-thirds of health groups surveyed had been targeted by a ransomware attack in the past year, which locks users out of computer systems, and that 83 percent of organizations reported an increase in cyberattacks generally in the last year.

The report placed the blame for the increased attacks on the “goldmine of personal data” that health care groups have access to and stressed that it is now time for health care professionals to consider both the patient’s physical well-being as well as their digital safety.

Kellermann pointed to health industry officials as being responsible for the lack of security in the sector.

“They do not understand technology, but yet they want to adopt it left and right, and they don’t understand that technology has a dark side, and disease comes with technology,” Kellermann said.