On June 3, 2019, Quest Diagnostics Incorporated (Quest) and Opko Health notified the U.S. Securities and Exchange Commission of a data breach affecting a third-party vendor website. The vendor was Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (AMCA), which provided billing collections services.

AMCA notified various entities of “potential unauthorized activity on AMCA’s web payment page.” Specifically, between August 1, 2018 and March 30, 2019, an unauthorized user had access to AMCA’s system, which housed information collected by AMCA and information received by various entities, such as Opko Health, Quest, Carecentrix, and LabCorp. The data in AMCA’s system included credit card numbers, bank account information, medical information, and personal information, such as Social Security numbers, dates of birth, and addresses. AMCA’s system breach was reportedly first identified in late February 2019 by Gemini Advisory, an information security company, which discovered patient information for sale on dark web marketplaces and traced it back to AMCA’s online portal, according to DataBreaches.net.

AMCA’s system breach exposed information for millions of patients. Quest reported approximately 11.9 million affected patients, although it noted that since it did not supply lab test results to AMCA, the breach did not affect lab results. LabCorp reported that 7.7 million patients had their Social Security numbers, financial information, and medical data exposed. Opko Health revealed that 422,000 of its patients had names, dates of birth, phone numbers, and financial information exposed by AMCA’s system breach. Carecentrix reported 500,000 affected patients. The total scope of the breach and number of affected patients is still unknown, as some entities such as Sunrise Medical Laboratories have not disclosed affected patient population size.

On June 5, 2019, two days after Quest’s reporting, U.S. Senators Robert Menendez and Cory A. Booker wrote a letter to Quest seeking information not only about the breach, but also about Quest’s procedures, resources, efforts, frequency of security tests, the employment statistics of data security employees, the identities of the information and data security leadership, and other information about the breach. In a separate letter and inquiry to Quest, U.S. Senator Mark R. Warner complained about Quest’s management of its vendor, stating that “[w]hile I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third-party selection and monitoring process.” Senator Warner also referenced in his letter to Quest reports that “20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56% of provider organizations have experienced a third-party breach” highlighting the exposure of third-party vendor information systems. On June 7, 2019, Senators Menendez and Booker wrote a letter to AMCA seeking further information about the breach.

The fallout from this breach is wide reaching and goes further than Senate inquiry letters. More than a dozen class action lawsuits have already been filed against Quest, LabCOrp, and AMCA. On June 17, 2019, about four months after the breach was first identified, AMCA filed for bankruptcy protection in the Southern District of New York.

This matter highlights the fact that cybersecurity is an ongoing concern at every level and point in a business’s system, especially in the healthcare industry. As the AMCA breach reflects, a vendor’s system breach is viewed often as the healthcare company’s system breach. Healthcare companies, therefore, must ensure that not only their information technology meets industry standard, but also that their vendors’ information technology meets industry standards. Healthcare companies should also ensure all contracts contemplate cybersecurity and the fallout that may result if and when a breach occurs.