Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Medicine Security Network Networking Privacy The Internet

Quest Diagnostics Says Personal Health Information of 34,000 Customers Hacked (cbsnews.com) 69

Quest Diagnostics has said in a statement that a hack of an internet application on its network has exposed the personal health information of nearly 34,000 people. "Quest Diagnostics has notified affected individuals via mail and established a dedicated toll-free number to call with questions regarding this incident," the company said. CBS News reports: The Madison, New Jersey-based company says âoean unauthorized third partyâ on Nov. 26 gained access to customer information including names, dates of birth, lab results and in some instances, telephone numbers. The stolen data did not include Social Security numbers, credit card accounts, insurance details or any other financial information. Quest said Monday it is working with a cybersecurity firm and law enforcement to investigate the breach, while taking steps to prevent similar incidents from recurring. If you think you're affected by this hack, you can call (888) 320-9970.
This discussion has been archived. No new comments can be posted.

Quest Diagnostics Says Personal Health Information of 34,000 Customers Hacked

Comments Filter:
  • Healthcare is 10 years behind the rest of the industry in IT infrastructure. This is because they keep on cheating out on their IT spendings and those Medical Doctors think they know how to do the work themselves and those hired IT guys are those little people who can do the grunt work so they don't have to.
    Most of these security problems isn't the staff or developers fault. But the management who just doesn't get what it takes to keep the data safe and doesn't trust their staff to come up with proper reco

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      I'm pretty sure the medical doctors aren't the ones making IT decisions.
      • Re: (Score:1, Flamebait)

        by jellomizer ( 103300 )

        You don't work in healthcare do you?
        What the MD says is what you do. Unless you are willing to back it up with a thesis, which gets tiring.
        Sure there may be some management that can make some decisions but those are only ones that don't directly affect the MDs

        • by Anonymous Coward on Tuesday December 13, 2016 @06:14AM (#53474815)

          MD here. Worked in infosec before med school so I know a bit about both. Most healthcare facilities are run by MBAs not MDs. The suits make the IT decisions. MDs usually stay out of it as they acknowledge that they don't have the expertise.

          • Re: (Score:3, Insightful)

            by Anonymous Coward

            MD here too, ^what he said
            Would add that most hospitals and healthcare facilities can only afford the B team, so they get what they pay for.

          • I really wish that I had met MD's who acknowledged they weren't experts in IT when I did medical work. In my experience, most MD's couldn't comprehend that their doctorate in a single specific niche didn't automatically make them the final voice on absolutely every conceivable topic of discussion. And that was across hospitals across the entire eastern seaboard. Hence the joke lots of nurses bandy about, "Doctor in the front, asshole in the back."
        • by Anonymous Coward

          Well, the company that leaks information should be the one paying for new identities for all of the victims.

          • Companies don't leak information. They are hacked. They are victims as much as the people whose info is stolen.
        • by ArmoredDragon ( 3450605 ) on Tuesday December 13, 2016 @08:56AM (#53475365)

          You don't work in healthcare do you?
          What the MD says is what you do. Unless you are willing to back it up with a thesis, which gets tiring.
          Sure there may be some management that can make some decisions but those are only ones that don't directly affect the MDs

          I do work in healthcare, and no, MDs don't tell us (IT) how to run day to day stuff. They will ask us to support certain applications, but they leave it up to us for how we implement them, secure them, etc.

      • When they own the local office and make the calls they do.

    • Healthcare is 10 years behind the rest of the industry in IT infrastructure.

      While I'm not going to disagree with your IT assessment, Quest Diagnostics is not a health care organization. They are for corporate drug testing. They are lab-techs, administrators, and...... What's the professional nomenclature for the dude that watches you take a piss? Either way, none of them have anything to do with the customer's health.

      • They do health screenings for insurance purposes as well. They are thus in fact a health care organization even though they don't offer care services. They are more than just drug testing. I have to go to them every year for a health screening to get a discount on my employer's insurance.
      • The professional nomenclature is "clinical service providers" and that measure is what I consider that makes ANY healthcare organization a healthcare organization. Lab services, Imaging services, Infusion Centers, pharmacies, and even the dialysis centers are ALL what I consider "healthcare organizations" as they are involved, directly, with clinical care operations. A third-party janitorial service would not be considered as neither would be third-party IT contractors (as examples).
  • Gee, what if patients could actually control their own information? Dream on, you silly fool.

    I gotta stop thinking about solutions, eh?

    Imagine that all of your personal medical information was stored where YOU wanted it to be. One implementation would involve a decryption key in a smartcard that you would use to give permission to a doctor or hospital when they need to access your information.

    Never happen. Too much like giving the patients actual rights. You know, like that Bill of Rights thing. Possession

    • by jordanjay29 ( 1298951 ) on Tuesday December 13, 2016 @05:51AM (#53474775)
      Well, your options boil down to three (or four) choices.

      1. You own your data and control its access entirely. Every time physicians, clinics, pharmacists, researchers, etc need or want access to your data, you must authorize them (to whatever extent you wish, for however long, etc). This feels like the holy grail of data access and privacy, but it also puts the legal culpability entirely on you. Give someone bad access? You're responsible. Lose the data/access device? You're responsible. Forget to bring it to your visit? You're responsible. It's like carrying around your medical data like cash, it's irreplaceable without a lot of hard work, vulnerable to theft or misplacement, but affords you the most tangible method for control.

      2. Your data is held in escrow by a third party. This would be like a hybrid of the above and the system we have now. Imagine that the store you shopped at also held your bank account. Obviously, that sounds like a recipe for disaster. Our banks and credit systems are the escrow parties for our financial means (or you could use cash as in option #1). A similar system could be adopted for medical data in which hospitals, clinics, pharmacies, etc must plug into a third party in order to access your data, by your control and authorization. It creates one more link in the chain, which can aid (or also detract) in security measures, decrease personal liability (if someone steals the data from the escrow party, you're not liable and can sue for damages), but also probably costs a fee for access to your own data, either by you or the clinic.

      3. The government acts as an escrow party. Enter the libertarians and anarchists to rip this option to shreds.

      4. The clinics own your data and share it with others/copy it to you upon your request or authorization. The status quo.

      • 1. You own your data and control its access entirely. Every time physicians, clinics, pharmacists, researchers, etc need or want access to your data, you must authorize them (to whatever extent you wish, for however long, etc).

        This is how it basically works in Canada, access can be revoked at any time as well. It works fine, you don't need to carry your medical information around with you, you don't need some device. You're not responsible either, but each individual organization/doctor/pharmacist/etc is responsible for the data they store. Ex: My pharmacist has access to the two doctors I permit them to access to(one is family(GP), the other is my neurologist(spinal cord treatment and migraines)), they are limited under the privacy act to what information they can request. Such as "is this the medication you've prescribed." Or "this medication conflicts with another that they're on, we'd recommend this medication instead. Do we have your permission to change it." This is covered in our privacy act, some provinces have further enforcement in regards to personalized data. In Canada government agencies have to get your permission before it can be shared even between agencies. Ex: Revenue Canada can't share between Health Canada. OHIP(Ontario Health Insurance) can't share between Health Canada, etc. Failures/breaches/etc are covered under the privacy act. The range of actions can be from the company/corporation itself right down to actions against individuals.

        If you show up at a hospital for diagnostic tests, you sign a waiver on who those diagnostic tests go to or where you want them to go besides the assigning physician. The hospital holds a master copy. Go for diagnostic tests at a lab? They only go directly to the assigning physician, the lab keeps no physical copies.

        • each individual organization/doctor/pharmacist/etc is responsible for the data they store.

          Nope, this is the status quo as described in #4. You don't keep your data, the clinic does. You may "own" it but that ownership is only de jure.

          • by Mashiki ( 184564 )

            Nope, this is the status quo as described in #4. You don't keep your data, the clinic does. You may "own" it but that ownership is only de jure.

            Nope. In Canada a clinic is a "doctors office." On top of that the only person that can transfer records from doctor to doctor is the patient. This is a fundamental part of the privacy act.

            • Yes, I'm telling you, Canada and the US are the same here. It's still not your data. You control the access, but that's about it. It's "your" data, not your data.
              • by Mashiki ( 184564 )

                Yes, I'm telling you, Canada and the US are the same here. It's still not your data. You control the access, but that's about it. It's "your" data, not your data.

                The law is telling you it's not. The privacy act [justice.gc.ca] makes that fundamentally clear. So do things like PHIPA [ontario.ca] and so do things like PIPEDA. [priv.gc.ca] "Your" data is yours, PHIPA even goes further allowing patients to "lock box" personal information from ALL parties except those directly disclosed.

                • by chihowa ( 366380 )

                  He's talking about who is actually in possession of the records, not who has/grants legal authority to access them.

                  Is the data in your hand, as in you can leaf through it yourself, or do you merely control who has access to it? Are you responsible for bringing all of your heath records to the physician's office, or do they already have them all and you're merely "authorizing" them to access the records?

                  #1 You physically hold and secure the records

                  #2 A "trusted" third party holds the records

                  #3 The government

                  • by shanen ( 462549 )

                    Mostly doesn't appear to be a productive discussion, but let me try to at least clarify my position on some of the issues that have been discussed.

                    I do think you should have the right to designate where your personal information is stored, but I am willing to accept that sufficiently secure encryption with the patient's control over the key is an adequate substitute for physical possession of the storage devices. I also think this same basic principle should apply to all of your personal data, not just your

                  • by Mashiki ( 184564 )

                    Is the data in your hand, as in you can leaf through it yourself, or do you merely control who has access to it?

                    It can be, you only have to request it. You can also revoke access if you take your data with it you. The laws protects you in that regard, your data is yours.

                    Are you responsible for bringing all of your heath records to the physician's office, or do they already have them all and you're merely "authorizing" them to access the records?

                    If you're moving from a doctors office to another? Yes. You are responsible. Doctor-patient privileges "kick in" you only authorize the party you want.

                    So to answer your questions:

                    #1 Yes if you want.

                    #2 Only pertaining information, otherwise it's secondary. Hospital, doctors office, and so on. There are no 3rd parties that have access.

                    #3 The govern

            • That's how it is in the US too.

              I have to sign a release per doctor/lab/family member/ etc for them to have access. In fact, my insurance company only allows me to authorize a family to access my account for at most one year before I need to fill out the forms again.

              It was not always the case here, but has been for the past 15 plus years (HIPPA is what helped define this.)

      • by zifn4b ( 1040588 )

        3. The government acts as an escrow party. Enter the libertarians and anarchists to rip this option to shreds.

        Indeed. Countries are just organized groups of people. They self organize for the collective benefit and appoint different people/groups for specialized functions but at the core of every organized group of people is that we are all individual people working together. Countries don't own citizens. Governments don't own citizens. The reason is because countries and governments are composed of the same humans. The distinction between citizen, leader, king, government official, etc. is artificial. We al

        • You wouldn't say the government is responsible for storing your money safely right? I rest my case.

          As a counterpoint for the sake of argument, there are many countries who do have a national bank which does just that (and successfully). I do agree on the philosophical level that government entities are not always the most trustworthy, and yet on the otherhand they're also the ones responsible for enforcing the laws and protections we're complaining about being violated here.

    • You can ask for your copy of your medical information and they will give it to you where you can do what you want with it.
      However the real problem is getting it in a format that all the healthcare providers can read.
      The standard is the CCD/CDA format XML based format. However most institutions doesn't use the medical coding scheme Snowmed-CT so the data is difficult to discretely import into their systems.
      Then on the whole is individuals with there medical information any more secure? No not at all it many

    • by shanen ( 462549 )

      Two responses at this time, but I'm going to bypass them because I feel like they were misdirected in a way that indicates I failed to make my main point clearly.

      Under the current situation, your personal information becomes the property of someone else. I'm not saying that the doctors are insincere or that they don't want to help patients, but in business terms there are secondary factors that influence how the data is handled. Essentially it is not in their interests to share your data too easily because

      • Re: (Score:2, Informative)

        by geekmux ( 1040042 )

        I'm also sure that Quest Diagnostics had no desire to leak the information--but it wasn't really THEIR information that was being leaked. It was other people's information that they are allowed to claim ownership over.

        Well, that's one hell of a way of labeling the problem. Quest Diagnostics has a legal liability to protect information shared with them, and there's a monumental difference between ownership and stewardship, which I'm certain their lawyers will understand.

        • by shanen ( 462549 )

          Actually a sound point, but my focus is on "possession is nine points of the law". It can be quite difficult to prove that a steward has been insufficiently cautious, but if you possess something, then there is a strong (legal) presumption you should continue to possess it. From that perspective, unauthorized possession can already be regarded as the crime without worrying too much about how it happened.

    • by geekmux ( 1040042 ) on Tuesday December 13, 2016 @06:42AM (#53474883)

      Gee, what if patients could actually control their own information? Dream on, you silly fool.

      I gotta stop thinking about solutions, eh?

      Imagine that all of your personal medical information was stored where YOU wanted it to be. One implementation would involve a decryption key in a smartcard that you would use to give permission to a doctor or hospital when they need to access your information.

      Never happen. Too much like giving the patients actual rights. You know, like that Bill of Rights thing. Possession is nine points of the law, and you don't have the lawyers to make it happen, eh?

      All those "eh"s? I'm not Canadian. Just wishing.

      Uh "decryption key"? in a "smartcard"?

      You must be new here (to this planet), and have not yet been exposed to the general ignorance that humanity blindly provides. There's a reason banking PINs are only 4 numbers long, so while you're rambling on about advanced security solutions, the other 90% of humans around you drip drool from a blank stare trying to understand what the fuck you're saying.

      Oh, and do they even bother teaching about the Bill of Rights anymore? With the violations going on, the government would be setting themselves up for retaliation if the masses were actually educated on how they should be protected. Possession my ass. Read your EULAs. You don't "own" anything anymore.

      • by zifn4b ( 1040588 )

        Uh "decryption key"? in a "smartcard"?

        I believe they misspoke and are in reality referring to PKI: https://en.wikipedia.org/wiki/... [wikipedia.org]. Obviously, you'd never want to store a decryption key on a smart card or use an encryption scheme whereby a block of data could be decrypted with a single key. Everyone knows that's not secure.

        the other 90% of humans around you drip drool from a blank stare trying to understand what the fuck you're saying.

        Well, you could say the same thing about people when it comes to learning how to use firearms but if you want to be more safe in your own home, you're better off 1) having guns and 2) knowing how to use them. Ignorance i

        • the other 90% of humans around you drip drool from a blank stare trying to understand what the fuck you're saying.

          Well, you could say the same thing about people when it comes to learning how to use firearms but if you want to be more safe in your own home, you're better off 1) having guns and 2) knowing how to use them. Ignorance is not an excuse.

          Most humans understand the pull-this-thing device that actuates the "boom" end of the boomstick, along with the whopping four rules of gun safety, with the consequences being far more black and white.

          When it comes to computers, we are well beyond the point of simple ignorance. It's more like willful ignorance, also known as "what we pay you nerds for".

          We're talking about a user community who would prefer shoving a thumb drive up their own ass to secure their data rather than learn about encryption, PKI, or

          • by zifn4b ( 1040588 )

            When it comes to computers, we are well beyond the point of simple ignorance. It's more like willful ignorance, also known as "what we pay you nerds for".

            I agree but the same could be said about physical protection. Some people think "that's what my tax dollars pay the police to do, protect me" not realizing that the police won't get there until well after the damage is done. It's actually quite similar but equally ignorant and unreasonable.

      • by shanen ( 462549 )

        Reply noticed, but excessive rudeness justifies (and even calls for) no substantive response. Perhaps if you could only add a touch of wittiness?

    • by tomhath ( 637240 )

      Imagine that all of your personal medical information was stored where YOU wanted it to be. One implementation would involve a decryption key in a smartcard that you would use to give permission to a doctor or hospital when they need to access your information.

      Image a very high percentage of the people who go to a doctor or hospital are unable to provide their own name or birth date. You want to try getting a decryption key from them?

      • by shanen ( 462549 )

        This part seems to be addressed to me? If so, my response is that it differs little from the current obligation to provide proof of medical insurance. Of course there are problems in emergency situations, as when dealing with an unconscious patient, but we already have mechanisms to deal with such medical emergencies first and worry about the payment afterwards.

  • Fecking idiots.
    Why isn't health data held by the patient.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Or, you know, on paper? I much prefer to walk into a doctor's office and see the patients' records on paper, in folders, on shelves.

      Sadly, the doctors are being forced to make everything "digital". Even my dentist's office is changing over (and they hate it - even the xray images aren't as good as the old films - poorer resolution and they don't show enough of the root structure).

      This is not progress.

      • Re:my data (Score:4, Insightful)

        by zifn4b ( 1040588 ) on Tuesday December 13, 2016 @08:16AM (#53475191)

        Even my dentist's office is changing over (and they hate it - even the xray images aren't as good as the old films - poorer resolution and they don't show enough of the root structure).

        This is not progress.

        Uh, I've been to several healthcare providers that use digital imaging and it is incredibly high resolution. I think what your dentist is complaining about is that in order to get the same or better resolution means they have to spend some money to upgrade their old technology and they're really complaining about the cost of coming up-to-date with technology.

      • Oh yes and when a healthcare provider closes down (whether out of retirement, bankruptcy, etc) and your records get dumped on a curb (it's happened) outside of the doctor's house because the local hospital got tired of playing record keeper, you'd be singing a different tune. Or when your doc's office goes up in flames and their entire lots worth of archived data gets burnt. But now, let's say your doc makes duplicates or triplicates of everything and stores it all offsite. Who is going to pay for that? Who
    • by cdrudge ( 68377 )

      That's silly. You wouldn't understand it and it's best if only medical professionals have it and just tell you what you need to know. That's more or less what Quest told me last time I went to them.

      My insurance pays 100% of lab costs if we go through Quest for lab work. My first visit I had to wait about a week and a half for normal blood work that normally is available the next day at another lab. After my results were ready, I was told I had to contact my doctor and I couldn't get the actual results as th

  • Quest Care360 (Score:5, Informative)

    by Mr Foobar ( 11230 ) on Tuesday December 13, 2016 @08:04AM (#53475131) Homepage

    It seems a lot of the posters here really didn't read the article, and/or have no idea just exactly what got hacked.

    Disclosure: I work with their major competitor. We have an online app almost exactly like Quest's, as do many of our competitors. Most of these online apps have about the same functionality, more or less, and work very similarly.

    Care360 is Quest's online results delivery online app. The app itself belongs to Quest, and is run on hardware they own/lease. Provider offices ask for access to this app to receive their patient results. Typically this access is very restricted and narrow. The provider office only see the results they need to see. Some offices only see a couple new results a day (if any), other offices may see hundreds, even thousands of new results a day. An optional piece of software is an autoprint utility, which allows the office to get results automatically printed to some office printer, or even as PDF files on a receiving computer. Even another option is to have the results automatically received into the office management system with an electronic data interface.

    Another part of these systems allows the client to make a test requisition that can either be given to the patient, put into a system that the blood draw centers can receive, or go along with the specimens the office draws themselves. This is what I think got hacked. This requisition making system has all the patient demographics needed to process and bill the patient's lab work, including their address info, responsible party info, and insurance subscriber info including any needed billing info. It is everything the lab needs to know to bill, and in most cases also includes diagnosis codes. It is quite a lot of info for each patient, and has to be current for a successful billing.

  • Both the wife and I have been through numerous blood draws recently at Quest over the past few months. Really hoping our info wasn't stolen. Yet again.

You know you've landed gear-up when it takes full power to taxi.

Working...