Information security audit specialists reported a data breach incident in the major clinical company Quest Diagnostics that occurred last Monday; according to the company, an unauthorized actor obtained access to the records (including medical and financial data) of nearly 12 million of the company’s clients.
The news of the incident began to spread after
Quest filed a notification to the Securities and Exchange Commission about a
security breach in the systems of the American Medical Collection Agency (AMCA)
collection company; Quest would have reported that AMCA’s payment web page
could have been compromised from August 2018 to March 30.
In the notification, Quest mentions that the
compromised information includes data such as Social Security numbers and
financial details; the good news is that the results of the laboratory analyses
of the company’s clients were not affected.
AMCA published a statement in which it mentions
that the company began an information security audit after receiving an alert
on a possible security breach in a compliance company that works with credit
card groups.
Information security audit specialists believe
that data breaches have increased in scope and frequency in recent months, and
health-sector companies have become one of the main targets of threat actors
looking to earn profits from stealing personal data.
According to specialists from the International
Institute of Cyber Security (IICS), hackers attack the collection and billing
companies hoping to find the financial information collected by contracting
companies from the collections firms. Moreover, although it is not yet clear
how a hacker could profit from people’s health information, experts are
concerned about the relative ease with which malicious actors access this
information, either directly or exploiting vulnerabilities in partner
companies.
On previous occasions, hackers do not even have
to work too hard to access these medical and financial records, as the
companies in charge of their protection make basic security errors, exposing
them to servers and databases
without the necessary protective measures.
