Madison, New Jersey-located clinical lab facility supplier Quest Diagnostics is warning 34,000 patients that a few of their ePHIs have been thieved.
Quest Diagnostics is a BA of several healthcare suppliers throughout the United States. Therefore, patients throughout the United States have been affected by the breach.
On November 26, 2016, an anonymous person accessed the MyQuest by Care360® Internet app and successfully infiltrated a variety of patient files. The incursion was noticed two days later when workforce came back to work on Monday.
Upon detection of the breach, access to the Internet app was obstructed to avoid any more files from being copied or accessed and a prominent cybersecurity company was hired to carry out a detailed examination of the breach.
The examination exposed that patients’ test outcomes were replicated together with dates of birth, names, and a few phone numbers, even though no highly confidential files like health Insurance information, Social Security numbers, or financial information was copied or retrieved. The cybersecurity company is also carrying out a detailed evaluation of cybersecurity defenses in place to avoid illegal data access. Upon the end of that evaluation, more defenses will be put in place to avoid future breaches of this type from happening.
Quest Diagnostics replied quickly to the breach and has released warning letters to patients within two weeks after the breach was first noticed, well within the 60-day breach notice time limit specified by the HIPAA.
Although it has just been two weeks after the breach, Quest Diagnostics hasn’t received any details of patient files being abused up till now. Quest Diagnostics has informed patients “we don’t think that you require taking any actions at this time to defend yourself in reaction to this breach.”
The breach has been informed to the central police agencies, and the Division of Health and Human Services’ OCR and state advocates general have also been informed.