
Quest Diagnostics says nearly 12M patients may have had data breached - pgrote
https://www.cnbc.com/2019/06/03/quest-diagnostics-says-nearly-12-million-patients-may-have-had-data-breached.html
======
helloworld
The breach came from American Medical Collection Agency, a debt collector that
Quest uses. It's a sad statement on the state of American healthcare that 11.9
million people can't afford to pay their lab bills.

~~~
QuercusMax
I had a small lab bill for my daughter (right after she was born) sent to
collections because the address they had on file was for a location my
daughter had never lived at. My wife and I had moved 2 years prior, and
somehow the lab used our old address which they got from ???.

Reason #283942 that our medical system is horrendously broken in the US.

~~~
asark
Three kids, pretty sure each one had something related to the birth or
pregnancy care end up in collections. We could pay it all no problem and the
things that went to collections were usually tiny, medical billing's just
completely fucked up.

You get low-hundreds (not an exaggeration) different documents, handed to you
and via mail over the course of a year (9ish months + a few after, ends up
close to a year), some of which are bills and some of which look like bills
but say "this is not a bill" (so... why'd you send it?) and some of which are
from your insurance referencing other things and blah blah blah, then you get
a few that are clearly a screwup and you call the provider and they're all
"LOL no your insurance got it it's fine, ignore that bill" (!?!?! seriously,
dafuq, how many people just pay it and do you give them their money back
unless they ask?) and of course one of those pieces of paper is gonna slip
through the cracks.

Insurances companies get a lot of shit, but the whole medical billing complex
is rotten, top to bottom.

------
folkhack
Great. Yet another one. Can't even just get simple lab diagnostics anymore
without having your SSN/CC number harvested... let's all look on in disbelief
while these people barely get slapped on the wrist!

Just a reminder to everyone to keep passwords rotated, and to monitor your
credit/bank account...

~~~
pmoriarty
How many more decades of such data breaches is it going to take for
organizations to start realizing that SSN's are not a good way to authenticate
or identify people (a purpose they were never meant for), and that most
people's SSN's have already been compromised?

~~~
bifrost
There are very few common identity factors available for these companies. I'd
almost be willing to have the US Govt develop a "medical ID number"
specifically for this purpose.

~~~
bluGill
It would have the same issues as SSN though: a number that once it leaks lets
someone else have too much knowledge/power over you.

~~~
DebtDeflation
But that is THE FUNDAMENTAL problem. No one should be able to impersonate you
and open up credit cards in your name simply by knowing your Name, Address,
DOB, and SSN. Just as no one should be able to purchase things using your
credit card account by knowing your name, credit card number, and expiration
date (all of which are printed on the card, which you give to people for B&M
purchases). The system is fundamentally broken, and that fact gets ignored by
all the focus on "data breaches". At a minimum, we need to move to multifactor
authentication and one time use "credit card numbers" generated at the time of
the transaction.

~~~
ravenstine
> one time use "credit card numbers" generated at the time of the transaction

PayPal used to have that feature but got rid of it for some reason.

~~~
Consultant32452
Google Pay still offers this. I have a virtual card number that is given to
merchants instead of my real CC number. I don't know if this is a feature for
all of Google Pay or requires special integration with my particular CC/bank.

------
social_quotient
Imagine the call fraud now. Hello Mrs Jones I’m calling about the labs you had
done last month, CBC, cardiac panel etc., with Dr Bob. I was alerted to make
the call because your values are out of normal range and there are critical
things I need to review with you. Before we get in to the details I need to
first confirm your identity.

—- Or — Your insurance only covered part of the blood labs on the 12th. To
release the results to you doctor I need to secure payment today for 189.74.

------
devereaux
Name + ICD diagnosis, what a wonderful leak for blackmailers wordwide! (/s)

Seriously, these two pieces of data that are innocent alone, when taken
separately (HIV, chlamydia, cancer...) should _NEVER_ have been linked
together, _ESPECIALLY_ when given to a third party, _EVEN MORE_ stored
together.

I pray it will result in many lawsuits with hefty punitive damages, and that
as a consequence private data will be considered a liability to be deleted as
early as possible (just like corporate email in many companies)

~~~
tedmiston
Good catch. Reading between the lines I took this to mean that lab information
was not leaked:

> The system contained sensitive data, including credit card numbers, bank
> account information, medical information and Social Security numbers, Quest
> said. Lab results were not provided to AMCA and were not exposed in the
> breach. AMCA thinks 11.9 million Quest patients were affected as of May 31,
> 2019, Quest said.

But it only says _lab results_ were not leaked with the extremely generic
label of _medical information_ as being leaked. I wonder if "medical
information" includes lab codes or what exactly it consists of?

~~~
devereaux
Medical information is likely to be ICD codes for the active diagnosis, and
antecedents (history) for this patient.

This is worse than full text medical information because everything is already
coded, so you can make some simple algorithms to find crunchy details with a
very high specificity.

------
Terretta
In the past I've done software for healthcare, happened to learn for the
privacy conscious:

You can order anonymous labs for yourself through various online lab
resellers. At the lab, you don't need ID, just the order. You will get lab
results; you will not get a diagnosis.

For instance, and not a recommendation:

FAQ: [https://www.health-tests-direct.com/frequently-asked-
questio...](https://www.health-tests-direct.com/frequently-asked-questions)

 _Q: How can I keep my “true” identity from HTD, and the clinic, and the lab?_

 _A: Easy -- Don’t give us your phone number or credit card info. Then mail us
a money order (a money order does not require your name or signature) for the
total amount due for the blood draw and lab analysis. We will e-mail the lab
paperwork to you when the money order arrives and email the lab results to you
the same day we receive those 2-3 days later. If you want, you can even set up
a temporary (and free) “alias” e-mail address at Yahoo!
(e.g.,“YourAliasName”@yahoo.com) for the purpose of our email communications
with you..._

 _There are two more things we hope that you will feel more comfortable
knowing: First, 99.99% of the blood draw centers we send you to will NOT ask
for your photo I.D. when you go in for your blood test. And, in the very-very
rare event that one should they do so, don’t feel obligated to show it to
them. Instead, leave the PSC and immediately call us. We will find you another
PSC! Or, keep in mind, that your lab tests results are NEVER sent to or shared
with the clinic or its personnel that does your blood draw. Only YOU get your
lab results, and NOBODY else. So, if you are asked, and you DO decide to show
them your drivers license or other ID, rest assured that they will NEVER see
or know the result of your test(s) anyway!_

See also: [https://www.walkinlab.com/help-
contents#privacy](https://www.walkinlab.com/help-contents#privacy)

 _Q - Can I do anonymous testing?_

 _A - Yes, an order can be placed anonymously. The First Name field must start
with an alpha or numeric character and the Last Name must be an alpha
character. Your correct date of birth and gender are required._

Both of these work with LabCorp and Quest Diagnostics, DuckDuckGo can help you
find more.

------
clarkmoody
Hey, maybe we shouldn't centralize huge amounts of sensitive information?

~~~
bifrost
The US Govt wants to federalize this, think about how much worse it could've
been.

~~~
freehunter
The government is far from perfect but private corporations have not exactly
proven to be great stewards of data privacy or fiscal responsibility.

~~~
bifrost
Yeah, that OPM hack was greaaaaaaat....

------
ohithereyou
Nobody should be allowed to hold this amount of sensitive information about
customers without paying a large bond to hold that information. It's clear
that these companies will not minimize their data collection since storage is
practically infinite, so make it cost them so they have an actual reason to
care.

------
JumpCrisscross
Is this a HIPAA violation?

~~~
bifrost
Its a breach, so yeah. That said it'll probably get covered by insurance...

~~~
olliej
If it is a HIPPA violation the fines are deliberately per instance - eg 12
million * (the fine), and I can’t recall whether hippa considers each piece of
data a separate violation.

But I think to be a HIPPA violation it would need to have information about
what tests are involved - eg just a monetary debt and knowing it came from a
lab might be argued as not being a violation?

That said until there are mandatory per-person-per-data-leaked fines, coupled
with liability for misuse of that data, companies are just going to continue
leaking because they “compensate” people by giving them “free” credit
monitoring.

That last bit is great because it only resolves financial service harm, and
offloads actually preventing fraud to the victims of these companies.

------
pcarolan
I tried dealing with Quest recently and gave up. They don't answer their phone
or do and hang up. The more I see these breeches, the more it seems like it
mostly comes down to someone either implicitly or explicitly making the
decision that the costs of customer service (which includes data privacy)
aren't worth it.

------
wiseleo
Quest is one of leading providers of employment and pre-employment drug
testing. Their "customers" do not have much choice to avoid them. They are
often not "patients" in need of medical care. The tests are often paid for by
interested parties like employers. Now I have to assume that because of a drug
test required for my background checks, my identity was compromised yet again.

Which politician can make ID data breaches financially ruinous and their
concealment criminal?

------
reiderrider
We send a few thousand life insurance applicants per year to Quest. Quest is
the 800 pound gorilla for insurance exam lab work. It’s unfortunate, but
alternatives are likely less secure and we’ll continue using Quest.

------
mycall
Nice, just went there today. Good job Quest!

------
rgray805
Curious - who are are the possible "third party forensics firms" that would
investigate this?

