Quest Diagnostics Says Personal Health Information of 34,000 Customers Hacked

Quest Diagnostics has said in a statement that a hack of an internet application on its network has exposed the personal health information of nearly 34,000 people. "Quest Diagnostics has notified affected individuals via mail and established a dedicated toll-free number to call with questions regarding this incident," the company said. CBS News reports: The Madison, New Jersey-based company says âoean unauthorized third partyâ on Nov. 26 gained access to customer information including names, dates of birth, lab results and in some instances, telephone numbers. The stolen data did not include Social Security numbers, credit card accounts, insurance details or any other financial information. Quest said Monday it is working with a cybersecurity firm and law enforcement to investigate the breach, while taking steps to prevent similar incidents from recurring. If you think you're affected by this hack, you can call (888) 320-9970.

Re:Patients controlling their OWN information?

[jordanjay29]

Well, your options boil down to three (or four) choices.

1. You own your data and control its access entirely. Every time physicians, clinics, pharmacists, researchers, etc need or want access to your data, you must authorize them (to whatever extent you wish, for however long, etc). This feels like the holy grail of data access and privacy, but it also puts the legal culpability entirely on you. Give someone bad access? You're responsible. Lose the data/access device? You're responsible. Forget to bring it to your visit? You're responsible. It's like carrying around your medical data like cash, it's irreplaceable without a lot of hard work, vulnerable to theft or misplacement, but affords you the most tangible method for control.

2. Your data is held in escrow by a third party. This would be like a hybrid of the above and the system we have now. Imagine that the store you shopped at also held your bank account. Obviously, that sounds like a recipe for disaster. Our banks and credit systems are the escrow parties for our financial means (or you could use cash as in option #1). A similar system could be adopted for medical data in which hospitals, clinics, pharmacies, etc must plug into a third party in order to access your data, by your control and authorization. It creates one more link in the chain, which can aid (or also detract) in security measures, decrease personal liability (if someone steals the data from the escrow party, you're not liable and can sue for damages), but also probably costs a fee for access to your own data, either by you or the clinic.

3. The government acts as an escrow party. Enter the libertarians and anarchists to rip this option to shreds.

4. The clinics own your data and share it with others/copy it to you upon your request or authorization. The status quo.

Re: Stop skimping on healthcare IT

MD here. Worked in infosec before med school so I know a bit about both. Most healthcare facilities are run by MBAs not MDs. The suits make the IT decisions. MDs usually stay out of it as they acknowledge that they don't have the expertise.

Re:my data

Or, you know, on paper? I much prefer to walk into a doctor's office and see the patients' records on paper, in folders, on shelves.

Sadly, the doctors are being forced to make everything "digital". Even my dentist's office is changing over (and they hate it - even the xray images aren't as good as the old films - poorer resolution and they don't show enough of the root structure).

This is not progress.

Re:Patients controlling their OWN information?

[Mashiki]

1. You own your data and control its access entirely. Every time physicians, clinics, pharmacists, researchers, etc need or want access to your data, you must authorize them (to whatever extent you wish, for however long, etc).

This is how it basically works in Canada, access can be revoked at any time as well. It works fine, you don't need to carry your medical information around with you, you don't need some device. You're not responsible either, but each individual organization/doctor/pharmacist/etc is responsible for the data they store. Ex: My pharmacist has access to the two doctors I permit them to access to(one is family(GP), the other is my neurologist(spinal cord treatment and migraines)), they are limited under the privacy act to what information they can request. Such as "is this the medication you've prescribed." Or "this medication conflicts with another that they're on, we'd recommend this medication instead. Do we have your permission to change it." This is covered in our privacy act, some provinces have further enforcement in regards to personalized data. In Canada government agencies have to get your permission before it can be shared even between agencies. Ex: Revenue Canada can't share between Health Canada. OHIP(Ontario Health Insurance) can't share between Health Canada, etc. Failures/breaches/etc are covered under the privacy act. The range of actions can be from the company/corporation itself right down to actions against individuals.

If you show up at a hospital for diagnostic tests, you sign a waiver on who those diagnostic tests go to or where you want them to go besides the assigning physician. The hospital holds a master copy. Go for diagnostic tests at a lab? They only go directly to the assigning physician, the lab keeps no physical copies.

Re:Patients controlling their OWN information?

[geekmux]

Gee, what if patients could actually control their own information? Dream on, you silly fool.

I gotta stop thinking about solutions, eh?

Imagine that all of your personal medical information was stored where YOU wanted it to be. One implementation would involve a decryption key in a smartcard that you would use to give permission to a doctor or hospital when they need to access your information.

Never happen. Too much like giving the patients actual rights. You know, like that Bill of Rights thing. Possession is nine points of the law, and you don't have the lawyers to make it happen, eh?

All those "eh"s? I'm not Canadian. Just wishing.

Uh "decryption key"? in a "smartcard"?

You must be new here (to this planet), and have not yet been exposed to the general ignorance that humanity blindly provides. There's a reason banking PINs are only 4 numbers long, so while you're rambling on about advanced security solutions, the other 90% of humans around you drip drool from a blank stare trying to understand what the fuck you're saying.

Oh, and do they even bother teaching about the Bill of Rights anymore? With the violations going on, the government would be setting themselves up for retaliation if the masses were actually educated on how they should be protected. Possession my ass. Read your EULAs. You don't "own" anything anymore.

Re: Stop skimping on healthcare IT

MD here too, ^what he said
Would add that most hospitals and healthcare facilities can only afford the B team, so they get what they pay for.

Quest Care360

[Mr+Foobar]

It seems a lot of the posters here really didn't read the article, and/or have no idea just exactly what got hacked.

Disclosure: I work with their major competitor. We have an online app almost exactly like Quest's, as do many of our competitors. Most of these online apps have about the same functionality, more or less, and work very similarly.

Care360 is Quest's online results delivery online app. The app itself belongs to Quest, and is run on hardware they own/lease. Provider offices ask for access to this app to receive their patient results. Typically this access is very restricted and narrow. The provider office only see the results they need to see. Some offices only see a couple new results a day (if any), other offices may see hundreds, even thousands of new results a day. An optional piece of software is an autoprint utility, which allows the office to get results automatically printed to some office printer, or even as PDF files on a receiving computer. Even another option is to have the results automatically received into the office management system with an electronic data interface.

Another part of these systems allows the client to make a test requisition that can either be given to the patient, put into a system that the blood draw centers can receive, or go along with the specimens the office draws themselves. This is what I think got hacked. This requisition making system has all the patient demographics needed to process and bill the patient's lab work, including their address info, responsible party info, and insurance subscriber info including any needed billing info. It is everything the lab needs to know to bill, and in most cases also includes diagnosis codes. It is quite a lot of info for each patient, and has to be current for a successful billing.

Re:my data

[zifn4b]

Even my dentist's office is changing over (and they hate it - even the xray images aren't as good as the old films - poorer resolution and they don't show enough of the root structure).

This is not progress.

Uh, I've been to several healthcare providers that use digital imaging and it is incredibly high resolution. I think what your dentist is complaining about is that in order to get the same or better resolution means they have to spend some money to upgrade their old technology and they're really complaining about the cost of coming up-to-date with technology.

Re:Stop skimping on healthcare IT

[ArmoredDragon]

You don't work in healthcare do you?
What the MD says is what you do. Unless you are willing to back it up with a thesis, which gets tiring.
Sure there may be some management that can make some decisions but those are only ones that don't directly affect the MDs

I do work in healthcare, and no, MDs don't tell us (IT) how to run day to day stuff. They will ask us to support certain applications, but they leave it up to us for how we implement them, secure them, etc.