Quest Diagnostics Says Personal Health Information of 34,000 Customers Hacked

Quest Diagnostics has said in a statement that a hack of an internet application on its network has exposed the personal health information of nearly 34,000 people. "Quest Diagnostics has notified affected individuals via mail and established a dedicated toll-free number to call with questions regarding this incident," the company said. CBS News reports: The Madison, New Jersey-based company says âoean unauthorized third partyâ on Nov. 26 gained access to customer information including names, dates of birth, lab results and in some instances, telephone numbers. The stolen data did not include Social Security numbers, credit card accounts, insurance details or any other financial information. Quest said Monday it is working with a cybersecurity firm and law enforcement to investigate the breach, while taking steps to prevent similar incidents from recurring. If you think you're affected by this hack, you can call (888) 320-9970.

Re:Patients controlling their OWN information?

[Mashiki]

1. You own your data and control its access entirely. Every time physicians, clinics, pharmacists, researchers, etc need or want access to your data, you must authorize them (to whatever extent you wish, for however long, etc).

This is how it basically works in Canada, access can be revoked at any time as well. It works fine, you don't need to carry your medical information around with you, you don't need some device. You're not responsible either, but each individual organization/doctor/pharmacist/etc is responsible for the data they store. Ex: My pharmacist has access to the two doctors I permit them to access to(one is family(GP), the other is my neurologist(spinal cord treatment and migraines)), they are limited under the privacy act to what information they can request. Such as "is this the medication you've prescribed." Or "this medication conflicts with another that they're on, we'd recommend this medication instead. Do we have your permission to change it." This is covered in our privacy act, some provinces have further enforcement in regards to personalized data. In Canada government agencies have to get your permission before it can be shared even between agencies. Ex: Revenue Canada can't share between Health Canada. OHIP(Ontario Health Insurance) can't share between Health Canada, etc. Failures/breaches/etc are covered under the privacy act. The range of actions can be from the company/corporation itself right down to actions against individuals.

If you show up at a hospital for diagnostic tests, you sign a waiver on who those diagnostic tests go to or where you want them to go besides the assigning physician. The hospital holds a master copy. Go for diagnostic tests at a lab? They only go directly to the assigning physician, the lab keeps no physical copies.

Re:Patients controlling their OWN information?

[geekmux]

I'm also sure that Quest Diagnostics had no desire to leak the information--but it wasn't really THEIR information that was being leaked. It was other people's information that they are allowed to claim ownership over.

Well, that's one hell of a way of labeling the problem. Quest Diagnostics has a legal liability to protect information shared with them, and there's a monumental difference between ownership and stewardship, which I'm certain their lawyers will understand.

Quest Care360

[Mr+Foobar]

It seems a lot of the posters here really didn't read the article, and/or have no idea just exactly what got hacked.

Disclosure: I work with their major competitor. We have an online app almost exactly like Quest's, as do many of our competitors. Most of these online apps have about the same functionality, more or less, and work very similarly.

Care360 is Quest's online results delivery online app. The app itself belongs to Quest, and is run on hardware they own/lease. Provider offices ask for access to this app to receive their patient results. Typically this access is very restricted and narrow. The provider office only see the results they need to see. Some offices only see a couple new results a day (if any), other offices may see hundreds, even thousands of new results a day. An optional piece of software is an autoprint utility, which allows the office to get results automatically printed to some office printer, or even as PDF files on a receiving computer. Even another option is to have the results automatically received into the office management system with an electronic data interface.

Another part of these systems allows the client to make a test requisition that can either be given to the patient, put into a system that the blood draw centers can receive, or go along with the specimens the office draws themselves. This is what I think got hacked. This requisition making system has all the patient demographics needed to process and bill the patient's lab work, including their address info, responsible party info, and insurance subscriber info including any needed billing info. It is everything the lab needs to know to bill, and in most cases also includes diagnosis codes. It is quite a lot of info for each patient, and has to be current for a successful billing.

Re:Stop skimping on healthcare IT

[ArmoredDragon]

You don't work in healthcare do you?
What the MD says is what you do. Unless you are willing to back it up with a thesis, which gets tiring.
Sure there may be some management that can make some decisions but those are only ones that don't directly affect the MDs

I do work in healthcare, and no, MDs don't tell us (IT) how to run day to day stuff. They will ask us to support certain applications, but they leave it up to us for how we implement them, secure them, etc.