Quest Diagnostics Says Personal Health Information of 34,000 Customers Hacked

Quest Diagnostics has said in a statement that a hack of an internet application on its network has exposed the personal health information of nearly 34,000 people. "Quest Diagnostics has notified affected individuals via mail and established a dedicated toll-free number to call with questions regarding this incident," the company said. CBS News reports: The Madison, New Jersey-based company says âoean unauthorized third partyâ on Nov. 26 gained access to customer information including names, dates of birth, lab results and in some instances, telephone numbers. The stolen data did not include Social Security numbers, credit card accounts, insurance details or any other financial information. Quest said Monday it is working with a cybersecurity firm and law enforcement to investigate the breach, while taking steps to prevent similar incidents from recurring. If you think you're affected by this hack, you can call (888) 320-9970.

Stop skimping on healthcare IT

[jellomizer]

Healthcare is 10 years behind the rest of the industry in IT infrastructure. This is because they keep on cheating out on their IT spendings and those Medical Doctors think they know how to do the work themselves and those hired IT guys are those little people who can do the grunt work so they don't have to.
Most of these security problems isn't the staff or developers fault. But the management who just doesn't get what it takes to keep the data safe and doesn't trust their staff to come up with proper recommendations

Re:Stop skimping on healthcare IT

I'm pretty sure the medical doctors aren't the ones making IT decisions.

Re:Stop skimping on healthcare IT

[jellomizer]

You don't work in healthcare do you?
What the MD says is what you do. Unless you are willing to back it up with a thesis, which gets tiring.
Sure there may be some management that can make some decisions but those are only ones that don't directly affect the MDs

Re: Stop skimping on healthcare IT

MD here. Worked in infosec before med school so I know a bit about both. Most healthcare facilities are run by MBAs not MDs. The suits make the IT decisions. MDs usually stay out of it as they acknowledge that they don't have the expertise.

Re: Stop skimping on healthcare IT

Well, the company that leaks information should be the one paying for new identities for all of the victims.

Re: Stop skimping on healthcare IT

[geekmux]

medical doctors think nobody should be compensated more than they are, and so refuse to pay for competent infosec.

And as a result, they'll find out very quickly who they WILL pay more than themselves.

Their lawyers.

Hope it was worth it.

Re: Stop skimping on healthcare IT

[dcornewell]

Companies don't leak information. They are hacked. They are victims as much as the people whose info is stolen.

Re: Stop skimping on healthcare IT

How is a company a victim when company could of done MORE to protect this data?

If company depends on products like Bluecoat or allows insecure Windows VPN clients, Microsoft Outlook, or uses Javascript/Flash based Web apps (dell, vmware) then company is not a victim but rather NEGLIGENT

Re: Stop skimping on healthcare IT

MD here too, ^what he said
Would add that most hospitals and healthcare facilities can only afford the B team, so they get what they pay for.

Re:Stop skimping on healthcare IT

[Joe_Dragon]

When they own the local office and make the calls they do.

Re:Stop skimping on healthcare IT

[ArmoredDragon]

You don't work in healthcare do you?
What the MD says is what you do. Unless you are willing to back it up with a thesis, which gets tiring.
Sure there may be some management that can make some decisions but those are only ones that don't directly affect the MDs

I do work in healthcare, and no, MDs don't tell us (IT) how to run day to day stuff. They will ask us to support certain applications, but they leave it up to us for how we implement them, secure them, etc.

Re: Stop skimping on healthcare IT

Your house was broken into, but your windows weren't bulletproof, ergo since you could have done more you, the homeowner, is negligent.

Re:Stop skimping on healthcare IT

Actually, they as a group, and one or MD's as deciders, very often are the loudest voice in the decision-making room.

Re:Stop skimping on healthcare IT

[BigBuckHunter]

Healthcare is 10 years behind the rest of the industry in IT infrastructure.

While I'm not going to disagree with your IT assessment, Quest Diagnostics is not a health care organization. They are for corporate drug testing. They are lab-techs, administrators, and...... What's the professional nomenclature for the dude that watches you take a piss? Either way, none of them have anything to do with the customer's health.

Re:Stop skimping on healthcare IT

yes they are, most of the places are multi doc practices unless is a big hospital.

Re:Stop skimping on healthcare IT

[dwillden]

They do health screenings for insurance purposes as well. They are thus in fact a health care organization even though they don't offer care services. They are more than just drug testing. I have to go to them every year for a health screening to get a discount on my employer's insurance.

Re: Stop skimping on healthcare IT

[scubamage]

I really wish that I had met MD's who acknowledged they weren't experts in IT when I did medical work. In my experience, most MD's couldn't comprehend that their doctorate in a single specific niche didn't automatically make them the final voice on absolutely every conceivable topic of discussion. And that was across hospitals across the entire eastern seaboard. Hence the joke lots of nurses bandy about, "Doctor in the front, asshole in the back."

Re: Stop skimping on healthcare IT

Bad analogy. It's like not having any windows at all. And someone just climbed in.

Re:Stop skimping on healthcare IT

They are a health care organization, but have few MDs involved.

Re:Stop skimping on healthcare IT

[mlw4428]

The professional nomenclature is "clinical service providers" and that measure is what I consider that makes ANY healthcare organization a healthcare organization. Lab services, Imaging services, Infusion Centers, pharmacies, and even the dialysis centers are ALL what I consider "healthcare organizations" as they are involved, directly, with clinical care operations. A third-party janitorial service would not be considered as neither would be third-party IT contractors (as examples).

Re: Stop skimping on healthcare IT

[dcornewell]

It is a good analogy. I'd bet a dollar the people that work at quest also had labs done at quest. They had their data stolen too. Their house was broken in to and they were robbed. The assumption that they were negligent is just that. An assumption. We have no info on how the hackers got in. You can get all the pen testing, coverity scans, threat assessments, security updates, and highest encryption you can find but it doesn't mean you found it all. The people responsible here are the ones doing the hacking.

Patients controlling their OWN information?

[shanen]

Gee, what if patients could actually control their own information? Dream on, you silly fool.

I gotta stop thinking about solutions, eh?

Imagine that all of your personal medical information was stored where YOU wanted it to be. One implementation would involve a decryption key in a smartcard that you would use to give permission to a doctor or hospital when they need to access your information.

Never happen. Too much like giving the patients actual rights. You know, like that Bill of Rights thing. Possession is nine points of the law, and you don't have the lawyers to make it happen, eh?

All those "eh"s? I'm not Canadian. Just wishing.

Re:Patients controlling their OWN information?

[jordanjay29]

Well, your options boil down to three (or four) choices.

1. You own your data and control its access entirely. Every time physicians, clinics, pharmacists, researchers, etc need or want access to your data, you must authorize them (to whatever extent you wish, for however long, etc). This feels like the holy grail of data access and privacy, but it also puts the legal culpability entirely on you. Give someone bad access? You're responsible. Lose the data/access device? You're responsible. Forget to bring it to your visit? You're responsible. It's like carrying around your medical data like cash, it's irreplaceable without a lot of hard work, vulnerable to theft or misplacement, but affords you the most tangible method for control.

2. Your data is held in escrow by a third party. This would be like a hybrid of the above and the system we have now. Imagine that the store you shopped at also held your bank account. Obviously, that sounds like a recipe for disaster. Our banks and credit systems are the escrow parties for our financial means (or you could use cash as in option #1). A similar system could be adopted for medical data in which hospitals, clinics, pharmacies, etc must plug into a third party in order to access your data, by your control and authorization. It creates one more link in the chain, which can aid (or also detract) in security measures, decrease personal liability (if someone steals the data from the escrow party, you're not liable and can sue for damages), but also probably costs a fee for access to your own data, either by you or the clinic.

3. The government acts as an escrow party. Enter the libertarians and anarchists to rip this option to shreds.

4. The clinics own your data and share it with others/copy it to you upon your request or authorization. The status quo.

Re:Patients controlling their OWN information?

[jellomizer]

You can ask for your copy of your medical information and they will give it to you where you can do what you want with it.
However the real problem is getting it in a format that all the healthcare providers can read.
The standard is the CCD/CDA format XML based format. However most institutions doesn't use the medical coding scheme Snowmed-CT so the data is difficult to discretely import into their systems.
Then on the whole is individuals with there medical information any more secure? No not at all it many ways it could be worse because people who could steal it would be people who know you and are emotionally in one way or an other invested in you.
So your parents gets their teenage kids record and finds failed pregnancy or an STD they could get kicked out of their home.

Re:Patients controlling their OWN information?

[Mashiki]

1. You own your data and control its access entirely. Every time physicians, clinics, pharmacists, researchers, etc need or want access to your data, you must authorize them (to whatever extent you wish, for however long, etc).

This is how it basically works in Canada, access can be revoked at any time as well. It works fine, you don't need to carry your medical information around with you, you don't need some device. You're not responsible either, but each individual organization/doctor/pharmacist/etc is responsible for the data they store. Ex: My pharmacist has access to the two doctors I permit them to access to(one is family(GP), the other is my neurologist(spinal cord treatment and migraines)), they are limited under the privacy act to what information they can request. Such as "is this the medication you've prescribed." Or "this medication conflicts with another that they're on, we'd recommend this medication instead. Do we have your permission to change it." This is covered in our privacy act, some provinces have further enforcement in regards to personalized data. In Canada government agencies have to get your permission before it can be shared even between agencies. Ex: Revenue Canada can't share between Health Canada. OHIP(Ontario Health Insurance) can't share between Health Canada, etc. Failures/breaches/etc are covered under the privacy act. The range of actions can be from the company/corporation itself right down to actions against individuals.

If you show up at a hospital for diagnostic tests, you sign a waiver on who those diagnostic tests go to or where you want them to go besides the assigning physician. The hospital holds a master copy. Go for diagnostic tests at a lab? They only go directly to the assigning physician, the lab keeps no physical copies.

Re:Patients controlling their OWN information?

[shanen]

Two responses at this time, but I'm going to bypass them because I feel like they were misdirected in a way that indicates I failed to make my main point clearly.

Under the current situation, your personal information becomes the property of someone else. I'm not saying that the doctors are insincere or that they don't want to help patients, but in business terms there are secondary factors that influence how the data is handled. Essentially it is not in their interests to share your data too easily because that would make it too easy for patients to seek other hospitals. Even worse when you start considering the involvement of the insurance companies, whose primary profit-driven interest is in screwing the expensive patients.

The patient has the strongest vested interest in maximizing the effective sharing of the information. That is why I think the patient should have effective control over the information and the valid feeling of ownership. I actually think it should be augmented with the patient's own data for mining by physicians seeking evidence for and against various possible diagnoses. (However, I take a similar position as regards all of our personal information, per my sig.)

I'm also sure that Quest Diagnostics had no desire to leak the information--but it wasn't really THEIR information that was being leaked. It was other people's information that they are allowed to claim ownership over.

Re:Patients controlling their OWN information?

[geekmux]

Gee, what if patients could actually control their own information? Dream on, you silly fool.

I gotta stop thinking about solutions, eh?

Imagine that all of your personal medical information was stored where YOU wanted it to be. One implementation would involve a decryption key in a smartcard that you would use to give permission to a doctor or hospital when they need to access your information.

Never happen. Too much like giving the patients actual rights. You know, like that Bill of Rights thing. Possession is nine points of the law, and you don't have the lawyers to make it happen, eh?

All those "eh"s? I'm not Canadian. Just wishing.

Uh "decryption key"? in a "smartcard"?

You must be new here (to this planet), and have not yet been exposed to the general ignorance that humanity blindly provides. There's a reason banking PINs are only 4 numbers long, so while you're rambling on about advanced security solutions, the other 90% of humans around you drip drool from a blank stare trying to understand what the fuck you're saying.

Oh, and do they even bother teaching about the Bill of Rights anymore? With the violations going on, the government would be setting themselves up for retaliation if the masses were actually educated on how they should be protected. Possession my ass. Read your EULAs. You don't "own" anything anymore.

Re:Patients controlling their OWN information?

[geekmux]

I'm also sure that Quest Diagnostics had no desire to leak the information--but it wasn't really THEIR information that was being leaked. It was other people's information that they are allowed to claim ownership over.

Well, that's one hell of a way of labeling the problem. Quest Diagnostics has a legal liability to protect information shared with them, and there's a monumental difference between ownership and stewardship, which I'm certain their lawyers will understand.

Re:Patients controlling their OWN information?

[jordanjay29]

each individual organization/doctor/pharmacist/etc is responsible for the data they store.

Nope, this is the status quo as described in #4. You don't keep your data, the clinic does. You may "own" it but that ownership is only de jure.

Re:Patients controlling their OWN information?

[Mashiki]

Nope, this is the status quo as described in #4. You don't keep your data, the clinic does. You may "own" it but that ownership is only de jure.

Nope. In Canada a clinic is a "doctors office." On top of that the only person that can transfer records from doctor to doctor is the patient. This is a fundamental part of the privacy act.

Re:Patients controlling their OWN information?

[tomhath]

Imagine that all of your personal medical information was stored where YOU wanted it to be. One implementation would involve a decryption key in a smartcard that you would use to give permission to a doctor or hospital when they need to access your information.

Image a very high percentage of the people who go to a doctor or hospital are unable to provide their own name or birth date. You want to try getting a decryption key from them?

Re:Patients controlling their OWN information?

[jordanjay29]

Yes, I'm telling you, Canada and the US are the same here. It's still not your data. You control the access, but that's about it. It's "your" data, not your data.

Re:Patients controlling their OWN information?

[zifn4b]

3. The government acts as an escrow party. Enter the libertarians and anarchists to rip this option to shreds.

Indeed. Countries are just organized groups of people. They self organize for the collective benefit and appoint different people/groups for specialized functions but at the core of every organized group of people is that we are all individual people working together. Countries don't own citizens. Governments don't own citizens. The reason is because countries and governments are composed of the same humans. The distinction between citizen, leader, king, government official, etc. is artificial. We all live, we all die, we all bleed. We originally all started out as prehistoric people that couldn't talk and spent copious amounts of times scratching and sniffing our butts.

If you understand and agree with this philosophy then the only logical choice is that the PHI of an individual human being belongs to that human being and they are wholly responsible for it in exactly the same way they are responsible for storing valuables in a safe. You wouldn't say the government is responsible for storing your money safely right? I rest my case.

Re:Patients controlling their OWN information?

[zifn4b]

Uh "decryption key"? in a "smartcard"?

I believe they misspoke and are in reality referring to PKI: https://en.wikipedia.org/wiki/.... Obviously, you'd never want to store a decryption key on a smart card or use an encryption scheme whereby a block of data could be decrypted with a single key. Everyone knows that's not secure.

the other 90% of humans around you drip drool from a blank stare trying to understand what the fuck you're saying.

Well, you could say the same thing about people when it comes to learning how to use firearms but if you want to be more safe in your own home, you're better off 1) having guns and 2) knowing how to use them. Ignorance is not an excuse.

Re:Patients controlling their OWN information?

[jordanjay29]

You wouldn't say the government is responsible for storing your money safely right? I rest my case.

As a counterpoint for the sake of argument, there are many countries who do have a national bank which does just that (and successfully). I do agree on the philosophical level that government entities are not always the most trustworthy, and yet on the otherhand they're also the ones responsible for enforcing the laws and protections we're complaining about being violated here.

Re:Patients controlling their OWN information?

[geekmux]

the other 90% of humans around you drip drool from a blank stare trying to understand what the fuck you're saying.

Well, you could say the same thing about people when it comes to learning how to use firearms but if you want to be more safe in your own home, you're better off 1) having guns and 2) knowing how to use them. Ignorance is not an excuse.

Most humans understand the pull-this-thing device that actuates the "boom" end of the boomstick, along with the whopping four rules of gun safety, with the consequences being far more black and white.

When it comes to computers, we are well beyond the point of simple ignorance. It's more like willful ignorance, also known as "what we pay you nerds for".

We're talking about a user community who would prefer shoving a thumb drive up their own ass to secure their data rather than learn about encryption, PKI, or complex passphrases. Makes me really wonder about that whole ignorance is bliss concept.

Re:Patients controlling their OWN information?

[Mashiki]

Yes, I'm telling you, Canada and the US are the same here. It's still not your data. You control the access, but that's about it. It's "your" data, not your data.

The law is telling you it's not. The privacy act makes that fundamentally clear. So do things like PHIPA and so do things like PIPEDA. "Your" data is yours, PHIPA even goes further allowing patients to "lock box" personal information from ALL parties except those directly disclosed.

Re:Patients controlling their OWN information?

[JackieBrown]

That's how it is in the US too.

I have to sign a release per doctor/lab/family member/ etc for them to have access. In fact, my insurance company only allows me to authorize a family to access my account for at most one year before I need to fill out the forms again.

It was not always the case here, but has been for the past 15 plus years (HIPPA is what helped define this.)

Re:Patients controlling their OWN information?

https://xkcd.com/927/
At least we agree on DICOM

Re:Patients controlling their OWN information?

Dont forget the paper that says 'they are allowed to do anything with the data, share it, keep it, etc.... that they want to do " Don't want to sign it? Then you can't see the doctor. And don't tell me it's illegal for them to have you sign it, because you *could* go get a lawyer and sue and take all that time and money and win.... but for the normal person who took a day off to see the doc, they don't have that luxury.

Re:Patients controlling their OWN information?

[chihowa]

He's talking about who is actually in possession of the records, not who has/grants legal authority to access them.

Is the data in your hand, as in you can leaf through it yourself, or do you merely control who has access to it? Are you responsible for bringing all of your heath records to the physician's office, or do they already have them all and you're merely "authorizing" them to access the records?

#1 You physically hold and secure the records

#2 A "trusted" third party holds the records

#3 The government holds the records

#4 The physicians offices, insurance companies, billing services, etc each hold some or all of the records.

Re:Patients controlling their OWN information?

[zifn4b]

When it comes to computers, we are well beyond the point of simple ignorance. It's more like willful ignorance, also known as "what we pay you nerds for".

I agree but the same could be said about physical protection. Some people think "that's what my tax dollars pay the police to do, protect me" not realizing that the police won't get there until well after the damage is done. It's actually quite similar but equally ignorant and unreasonable.

Re:Patients controlling their OWN information?

[shanen]

Mostly doesn't appear to be a productive discussion, but let me try to at least clarify my position on some of the issues that have been discussed.

I do think you should have the right to designate where your personal information is stored, but I am willing to accept that sufficiently secure encryption with the patient's control over the key is an adequate substitute for physical possession of the storage devices. I also think this same basic principle should apply to all of your personal data, not just your medical data.

The part of the discussion about specifying the usage of your data is in the area of "privacy policies", which could be largely automated. I'd prefer to use a financial records example to make this clear, but I think it would potentially muddle the discussion, so I'm just going to try to summarize it by saying that any entity that wants to access your personal data should be required to explain why, and the ultimate decision should be yours, even if you have delegated most of the routine decisions to a privacy-policy enforcer (which might be software or even a lawyer).

I agree that there is a need to consider backups, including ways to recover from a lost key (which usually means some kind of escrow system), but I think that is mostly a solved problem. Basically the appeals to the escrow mechanism must be publicly visible, not secret. There is a layer of protection in the selection of your preferred escrow mechanism.

(As a general principle, I think that most of the "justified" appeals to secrecy and anonymity are based on prior secrecy and prior anonymity. However, the desire for privacy is ultimately justified as part of "personal freedom", which I value highly.)

Re:Patients controlling their OWN information?

[shanen]

Reply noticed, but excessive rudeness justifies (and even calls for) no substantive response. Perhaps if you could only add a touch of wittiness?

Re:Patients controlling their OWN information?

[shanen]

Actually a sound point, but my focus is on "possession is nine points of the law". It can be quite difficult to prove that a steward has been insufficiently cautious, but if you possess something, then there is a strong (legal) presumption you should continue to possess it. From that perspective, unauthorized possession can already be regarded as the crime without worrying too much about how it happened.

Re:Patients controlling their OWN information?

[shanen]

This part seems to be addressed to me? If so, my response is that it differs little from the current obligation to provide proof of medical insurance. Of course there are problems in emergency situations, as when dealing with an unconscious patient, but we already have mechanisms to deal with such medical emergencies first and worry about the payment afterwards.

Re:Patients controlling their OWN information?

[Mashiki]

Is the data in your hand, as in you can leaf through it yourself, or do you merely control who has access to it?

It can be, you only have to request it. You can also revoke access if you take your data with it you. The laws protects you in that regard, your data is yours.

Are you responsible for bringing all of your heath records to the physician's office, or do they already have them all and you're merely "authorizing" them to access the records?

If you're moving from a doctors office to another? Yes. You are responsible. Doctor-patient privileges "kick in" you only authorize the party you want.

So to answer your questions:

#1 Yes if you want.

#2 Only pertaining information, otherwise it's secondary. Hospital, doctors office, and so on. There are no 3rd parties that have access.

#3 The government has no access unless you grant it to them.

#4 Doctors officers only hold them if you go to that doctor, you can request them at any time. No insurance companies, billing services, have access to any form of your medical records unless you stipulate it.

Re:Patients controlling their OWN information?

You're having a really hard time with this. Consider that this story is about the inadvertent and unlawful leaking of records due to certain people having physical possession of the records. We're not talking about legal authorization to access records at all, but exclusive physical possession of records. None of your numbered list refer to exclusive physical possession of records at all.

conspire to occupy the truth about us..

sing along... https://www.youtube.com/watch?v=Lin-a2lTelg ..

my data

[bigtreeman]

Fecking idiots.
Why isn't health data held by the patient.

Re:my data

Or, you know, on paper? I much prefer to walk into a doctor's office and see the patients' records on paper, in folders, on shelves.

Sadly, the doctors are being forced to make everything "digital". Even my dentist's office is changing over (and they hate it - even the xray images aren't as good as the old films - poorer resolution and they don't show enough of the root structure).

This is not progress.

Re:my data

digital x-rays have lower resolution but far less radiation, even when is repeated a few time to get a clearer pic

Re:my data

[cdrudge]

That's silly. You wouldn't understand it and it's best if only medical professionals have it and just tell you what you need to know. That's more or less what Quest told me last time I went to them.

My insurance pays 100% of lab costs if we go through Quest for lab work. My first visit I had to wait about a week and a half for normal blood work that normally is available the next day at another lab. After my results were ready, I was told I had to contact my doctor and I couldn't get the actual results as the doctor has to have a chance to properly interpret them and notify me. It took another week to actually get the official results.

Fuck Quest. I go to another lab and gladly pay the 20% for lab work.

Re:my data

[zifn4b]

Even my dentist's office is changing over (and they hate it - even the xray images aren't as good as the old films - poorer resolution and they don't show enough of the root structure).

This is not progress.

Uh, I've been to several healthcare providers that use digital imaging and it is incredibly high resolution. I think what your dentist is complaining about is that in order to get the same or better resolution means they have to spend some money to upgrade their old technology and they're really complaining about the cost of coming up-to-date with technology.

Re:my data

Digital X-ray has a way higher resolution for most medical applications. Film can get better resolutions for a lower cost (smaller pixels can be made), but this requires very high exposures that are only used in industrial applications. The dose from a digital device can easily be 1/25th for the same image quality.

Re:my data

Sadly, the doctors are being forced to make everything "digital". Even my dentist's office is changing over (and they hate it - even the xray images aren't as good as the old films - poorer resolution and they don't show enough of the root structure).

My dentist has gone fully digital and the images they can get off your teeth are exceptionally detailed. It is very easy for the dentist to display the images of your teeth in front of you and point out potential issues of which some can be deferred and others may need urgent treatment.

Re:my data

[mlw4428]

Oh yes and when a healthcare provider closes down (whether out of retirement, bankruptcy, etc) and your records get dumped on a curb (it's happened) outside of the doctor's house because the local hospital got tired of playing record keeper, you'd be singing a different tune. Or when your doc's office goes up in flames and their entire lots worth of archived data gets burnt. But now, let's say your doc makes duplicates or triplicates of everything and stores it all offsite. Who is going to pay for that? Who keeps that storage facility safe? What if you get sick and your doc needs to pull records for the last couple of years to research it? There are PLENTY of reasons to prefer electronic over paper.

Furthermore there's tons of research that is ongoing by hospitals with JUST your data. They're finding correlations and patterns and other amazing things BECAUSE that data can be modeled and understood. Just because you're too short sighted to see the benefits, doesn't mean there aren't plenty. And the younger medical providers from doctors to dentists, from nurses to EMS techs ALL are loving digital because there are a ton of benefits.

As for your "resolution" - tell your dentist to quit being cheap and upgrade. High resolution, digital, imaging systems exist with both 2D/3D capabilities. I've seen ones that can even show you, to some degree, the folds in your own brain. And that can be tagged, shared, and consulted on by multiple dentists (or doctors or whomever). There's literally no real benefit to paper records.

896 million facebook accounts

131918490294 Dec 11 23:01 FBfullenchalada.xz

Quest Care360

[Mr+Foobar]

It seems a lot of the posters here really didn't read the article, and/or have no idea just exactly what got hacked.

Disclosure: I work with their major competitor. We have an online app almost exactly like Quest's, as do many of our competitors. Most of these online apps have about the same functionality, more or less, and work very similarly.

Care360 is Quest's online results delivery online app. The app itself belongs to Quest, and is run on hardware they own/lease. Provider offices ask for access to this app to receive their patient results. Typically this access is very restricted and narrow. The provider office only see the results they need to see. Some offices only see a couple new results a day (if any), other offices may see hundreds, even thousands of new results a day. An optional piece of software is an autoprint utility, which allows the office to get results automatically printed to some office printer, or even as PDF files on a receiving computer. Even another option is to have the results automatically received into the office management system with an electronic data interface.

Another part of these systems allows the client to make a test requisition that can either be given to the patient, put into a system that the blood draw centers can receive, or go along with the specimens the office draws themselves. This is what I think got hacked. This requisition making system has all the patient demographics needed to process and bill the patient's lab work, including their address info, responsible party info, and insurance subscriber info including any needed billing info. It is everything the lab needs to know to bill, and in most cases also includes diagnosis codes. It is quite a lot of info for each patient, and has to be current for a successful billing.

You sound just like the cops

Ooo, my job gets harder if I can't know everything about anyone! Don't worry ... I promise never to snoop in your data for purely personal or financial reasons!

If we as a society can believe that it's better to let some criminal cases go unsolved to protect privacy abuses, then maybe we're not pants on head retarded to believe a few (extra) misdiagnoses are also a reasonable price to protect privacy abuses.

Re:You sound just like the cops

[tomhath]

Are you the one willing to pay the multi-million dollar wrongful death suit for the misdiagnoses?

Re:Shoot to kill

[drinkypoo]

Law enforcement needs to start treating people who hack into medical facilities the way they currently treat unarmed black men.

We need to treat corporations that get hacked and lose our private data the same way we treat politicians that get hacked and lose emails.

Re:Shoot to kill

We need to treat politicians that get hacked and lose emails the same way we treat unarmed black men too.

The circle of hate is complete.

Patients aren't always the customer anyway

Don't forget Quest and Labcorp do the majority of drug testing in this company for corporations. My current employer gave one of them my ssn when I went to have my drug test. Nothing I can ever do to get that data back from that company until they decide to get rid of it, and I had no say in giving it over to them.

Well, this sucks

[scubamage]

Both the wife and I have been through numerous blood draws recently at Quest over the past few months. Really hoping our info wasn't stolen. Yet again.