Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) announced related data breaches that may impact up to 20 million customers who used their services between August 1, 2018 and March 30, 2019 this week.
While details are still being confirmed from third party medical vendor American Medical Collections Agency (AMCA), the compromised customer data is thought to have included personal, financial and medical patient data such as first and last name, date of birth, address, phone and credit card or bank account information.
(A major data breach involving one of the country’s biggest blood testing providers could affect nearly 12 million people. Quest Diagnostics says patients’ sensitive personal and medical information is at risk after criminals hacked a contract company used for bill collection. Courtesy of CBS this Morning and YouTube. Posted on Jun 4, 2019.)
“Healthcare companies have increasingly become a target for hackers and other bad actors given the vast amounts of information that is collected and stored across the medical ecosystem,” explained Kelvin Coleman, executive director of the National Cyber Security Alliance.
“Businesses and organizations that accumulate data must operate with a deep understanding of the value of that data to cyber criminals and employ a comprehensive approach to cybersecurity, including robust vendor management strategies.”
eSentire recently commissioned a survey of IT and security decision-makers, which found that nearly half (44 percent) of firms had experienced a significant, business-altering data breach caused by a vendor.
(Quest Diagnostics announced on Tuesday that the private information of 11.9 million patients may have been compromised. CyberScout founder Adam Levin reacts to the breach. Courtesy of Fox Business News and YouTube. Posted on Jun 4, 2019.)
The National Cyber Security Alliance (NCSA) recommends that employers and IT teams take the following steps to secure their business and work with third-parties and vendors to secure their customers’ data:
Identify your digital “crown jewels”:
-
Crown jewels are the data without which your business would have difficulty operating and/or the information that could be a high-value target for cybercriminals.
-
When assessing your vendor network, the IT team needs to map out not only who your vendors are, but who their vendors are who might have access to your data or systems.
-
This includes working with your vendors to confirm the data they collect and whether or not they have formal and robust cybersecurity programs in place.
Protect your assets:
-
Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business and understanding the cyber risks as your business grows or adds new technologies or functions.
-
When creating third-party contracts, include non-negotiable document data ownership and management processes, including how company data is handled, who owns the data and has access to it, how long the data is retained and what happens to data once a contract is terminated.
-
Only people who need access to your data should have it.
(Privacy expert and VP and Chief Privacy Officer for Cisco Michelle Dennedy gets down to business with these basic privacy and data security questions. Learn why privacy is important to organizations of all sizes and get her top tip for being #PrivacyAware. Courtesy of StaySafeOnline.org and YouTube.)
You should also have a lawyer look over any vendor agreements to ensure they take proper measures to protect data assets and grant appropriate access controls.
Be able to detect incidents:
-
We have fire alarms in our businesses and homes that alert us to problems.
-
In cybersecurity, the quicker you know about an incident, the quicker you can mitigate the impact and get back to normal operations.
-
For vendor contracts, establish processes within your agreements that enable you to verify compliance with the negotiated terms.
-
Third-party intelligence providers can also offer independent, unbiased inputs on the status of vendors.
-
If a vendor is hit by a cyberattack, these third-party intelligence services will report back to you in a time-critical way.
Have a plan for responding:
-
Having a recovery plan created before an attack occurs is critical.
-
Develop and practice an incident response plan to contain an attack or incident and maintain business operations in the short term.
Quickly recover normal operations:
-
The goal of recovery is to move from the immediate aftermath of a cyber incident to full restoration of normal systems and operations.
-
Like the response step, recovery requires planning.
-
Recovery is not just about fixing the causes and preventing the recurrence of a single incident.
-
It’s about building out your cybersecurity posture across the whole organization (not just the IT person or group), including increasing the focus on planning for future events.
Attend a CyberSecure My Business™ Event:
-
NCSA’s CyberSecure My Business holds events across the country and monthly webinars that shed light on how small and medium-sized businesses can protect themselves, their employees and their customers against the most prevalent threats.
(Infosec, the Michigan Small Business Development Center and the Federal Trade Commission to discuss best practices and resources for creating a cyber aware employee culture in your small to medium-sized business. Courtesy of StaySafeOnline.org and YouTube. Posted on May 8, 2019.)
Major breaches like these remind Americans that it is critical for internet users to remain diligent about practicing good cybersecurity habits.
NCSA recommends that consumers potentially impacted by the AMCA breach protect their accounts by following these steps to stay safer and more secure online, including:
Monitor activity on your financial and credit cards accounts.
-
If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). For more information,
For additional information on these events and locations, visit https://staysafeonline.org/cybersecure-business/.
(Nearly 12 million Quest Diagnostics customers’ personal information have been compromised after a recent data breach struck American Medical Collection Agency (AMCA), a third-party vendor Quest uses for medical billing services. Courtesy of News4JAX and YouTube. Posted on Jun 3, 2019.)