This Week in Data Breaches: 11.9 Million Patients' Data Stolen in Quest Diagnostics Breach

From the personal information of 11.9 million Quest Diagnostics patients being stolen to a data breach at U.S. Customs and Border Protection, here we round up the latest in data security and privacy news.

Patients’ Personal and Financial Information Stolen in Quest Diagnostics Data Breach

Quest Diagnostics, a laboratory testing provider, disclosed last week that a third-party vendor suffered a breach in which the personal information of 11.9 million Quest patients was stolen. The stolen data included patient names, dates of birth, addresses, Social Security numbers, phone numbers, dates of service, care providers, and credit card and bank account information.

Quest’s systems were not directly affected by the security incident, rather it was a third-party billing provider, American Medical Collection Agency (AMCA), that was compromised. An “unauthorized user” had access to AMCA’s systems for nine months, from August 2018 through March 2019. In a statement, the company said that it does not believe that laboratory test results were exposed. A class action lawsuit has already been filed against Quest, seeking $5 million in damages related to the breach.

This latest breach is reminiscent of the breach at Anthem in 2014, the largest hack of medical data, when the records of 79 million customers were stolen. Anthem eventually settled with victims for $115 million. Financial data handled by insurance and billing companies is extremely lucrative for hackers and continues to be a prime target. There were more than 363 data breaches in the medical sector alone last year, according to the Identity Theft Resource Center.

While these companies are being targeted more and more by hackers, they have yet to take the steps necessary to protect their customers’ data as witnessed by a string of high profile breaches that has left millions of consumers vulnerable to financial fraud and phishing attacks. For information on how to protect your identity and fight against fraud, make sure you check out our latest step-by-step guide to help you improve your cybersecurity hygiene.

LabCorp Data Breach Affected 7.7 Million Customers

On the heels of the Quest disclosure, it was revealed American Medical Collection Agency exposed the personal and financial data of 7.7 million LabCorp customers in the breach as well, bringing the total number of patients affected to 19.6 million.

In a filing with the U.S. Securities and Exchange Commission (SEC), LabCorp said, “AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA.”

AMCA is in the process of sending notices to approximately 200,000 LabCorp customers whose bank account or credit card information was compromised. Those 200,000 customers are now at high risk of financial fraud. If you believe you have been involved in either the LabCorp or Quest breach or have received a notice, you should alert your bank and credit card providers and place a freeze on your credit report with the credit bureaus.

Also, be on the lookout for sophisticated phishing emails, in which fraudsters pose as credible sources by using private information in an attempt to get you to give up even more valuable information such as your Social Security number or passwords to financial accounts, usually by directing you to enter sensitive information on a fake website setup to look like a legitimate site.

U.S. Customs and Border Protection Data Breach

U.S. Customs and Border Protection (CBP) has disclosed that photos of people traveling in and out of the United States were stolen in a “malicious cyberattack”, as reported by TechCrunch last week. A CBP spokesperson told TechCrunch that the attack affected less than 100,000 travelers who passed through a single land border over the course of a month and a half.

In a statement, the agency said that it “learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network” and that the agency’s networks were not affected. According to cybersecurity experts, it is possible that the true severity of the breach is much greater than what CBP has said, as the agency has collected fingerprints, facial data, and even social-media account information from travelers in the past.

The breach comes as governments around the world are facing scrutiny for a wide-range of invasive surveillance practices, from the use of biometric data in India and China to the proliferation of advanced facial recognition technology at law enforcement agencies in the US. As governments hoover up data at an alarming rate, they pose an acute risk to citizens in the increasingly likely event their systems are compromised.

Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.

It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secured identity and get free data breach alerts with Radar!