Quest Diagnostics Announces 34,000-Record ePHI Breach

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen.

Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach.

On November 26, 2016, an unknown individual gained access to the MyQuest by Care360® Internet application and successfully exfiltrated a range of patient data. The intrusion was detected two days later when staff returned to work on Monday.

Upon discovery of the breach, access to the Internet application was blocked to prevent any further data from being accessed or copied and a leading cybersecurity firm was contracted to conduct a thorough investigation of the breach.

The investigation revealed that patients’ test results were copied along with names, dates of birth, and some telephone numbers, although no highly sensitive data such as Social Security numbers, health Insurance information, or financial data were accessed or copied. The cybersecurity firm is also conducting a thorough assessment of cybersecurity protections in place to prevent unauthorized data access. Upon conclusion of that assessment, additional protections will be put in place to prevent future breaches of this nature from occurring.

Quest Diagnostics responded promptly to the breach and has issued notification letters to patients under two weeks after the breach was first discovered, well inside the 60-day breach notification time limit stipulated by the Health Insurance Portability and Accountability Act (HIPAA).

While it has only been two weeks since the breach, Quest Diagnostics has not received any reports of patient data being misused to date. Quest Diagnostics has told patients “we do not believe that you need to take any steps at this time to protect yourself in response to this breach.”

The breach has been reported to the federal law enforcement agencies, and the Department of Health and Human Services’ Office for Civil Rights and state attorneys general have also been notified.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.