back to article Bloody awful: Hell-thcare hackers break into databases of 20m medical test biz patients

Hackers have raided databases containing millions of medical test lab patients' personal and payment information, making off with at least hundreds of thousands of people's banking details. The ransacked data stores were maintained by American Medical Collection Agency (AMCA) on behalf of blood-testing biz LabCorp and medical- …

  1. Shadow Systems

    Fucking hell!

    The fact that the billing company didn't have our medical data is worth SFA given they leaked social security & credit card numbers.

    "You can breathe easy knowing that we managed to save the 'Billy Bass' singing fish plaque from your mantel while robbers were looting that safe full of cash we left unlocked..."

    Offering ID protection & credit monitoring isn't good enough. We need heads on pikes. Starting with all the upper management of the billing company.

    1. GnuTzu

      Re: Fucking hell!

      Sorry, but we're going to be seeing more of these fiascoes as more medical establishments farm out their patient management, and that's how it should be--because patient management services should not be managed by doctors; they should be managed by those who hire qualified infosec professionals to insure that patient data is protected. Yet, this industry is new; and while we here who follow infosec news have a sense of what this will take, doctors don't yet know how to shop for qualified services. Yes, as others are commenting here, HIPAA needs some updating and to be made mandatory. Until then, yes "fucking hell", these things will be getting worse.

  2. Anonymous Coward
    Anonymous Coward

    Hope this becomes a case-study at business schools... not to (sub)contract services with your data...

    ...why you shouldn't believe RFP responses...

    ...why technical controls (firewalls, IPS, compliance, etc) require business processes to become effective, especially with outsourcers / external business partners...

    ...that in a world of "you get what you pay for", cheapest is not the best,,,


    8 months the attackers were inside this database, and it was not spotted.

    Compliance...? Audits...? SIEM...? Reporting...? Firewalls...? I bet they had them... Despite that, so many failures on a human and technical level.

    To get action on this, I hope some shareholders get together and try to sue the company for breach of corporate responsibility - putting their share* price at risk. Then their cyber-insurance won't pay out, and the bosses could be individually liable.

    *=Money has value. Suing for the loss of customer data will carry less weight.

    AC, as I work for a security vendor and _know_ how hard it is to convince people that when we talk about cybersecurity, it really is not science fiction - and is relevant to them and they must do something...

    1. Anonymous Coward
      Anonymous Coward

      Re: Hope this becomes a case-study at business schools...

      I've worked at a number of sec vendors in my time though I'm back on the lamb side of the chopping block nowadays, rather than the meat cleaver side.

      You touch on one of the perennial Hard Problems of real-world infosec: convincing those who signs cheques that it's a real threat, and you're not just another geek / middle manager in search of more toys, a bigger budget or empire.

      As my 20 years mark approaches in a couple of years, I'm increasingly convinced of the truth of the old aphorism: in security, your biggest allies are demanding customers, regulators and auditors who take a Bottom Inspector approach to examining your security status, and of course advesaries / attackers. Your chief enemies are (1) the users, and (2) management. Yes, working in security is like being a BoFH without the wish-fulfillment bit...

  3. BigBear

    HIPAA compliance, anyone?

    For Quest Labs, AMCA would (in theory) have had to have signed a Business Associate Agreement, promising to be in full compliance with the US's HIPAA law, which requires, among other things, that all personally-identifiable health information (PHI) be stored and transmitted "securely". The law is not prescriptive, in terms of defining specific techniques for doing so, but does require both physical and electronic security.

    While it does not require state-of-the-art security (at crushing expense), anyone reading the regulations would expect that full encryption of data is expected, as well as normal industry best-practices for firewalls, anti-virus protection, two-factor logins, patch management, etc. After all, you're protecting other people's data, not just your corporation's data. The law creates a legal duty to protect that data.

    I wonder of AMCA knew that, signed any such agreement, had a clue what HIPAA is, or was HIPAA compliant? Violations of HIPAA can cause you to lose your accreditation, lose your your license, as well as huge fines (Some number of $ per case; multiply by 12 million cases).

    This works back to Quest Labs, too, as they handed over the data that included the PHI. Quest is responsible for ensuring that they choose a vendor that is HIPAA-compliant, signing an appropriate Business Associate Agreement, and monitoring their compliance.

    1. Keen1

      Re: HIPAA compliance, anyone?

      AMCA are probably supposed to be PCI compliant too, but compliant doesn't mean secure.

      After all, has The Reg ever reported a card breach from a non-PCI compliant provider? I expect the same will be true for HIPPA over the next few years.

  4. Anonymous Coward

    Too important to bother?

    What is it with healthcare? Too important to concern themselves with trivia like whether their systems work?

    I recently (OK, April 18th) tried to buy a prescription prepayment from the NHS's facility (calls itself beta, but isn't fit to be a public alpha without at least offering participants a clear back-channel to sort out issues). When it came to payment, I just got a developer-oriented error message, and a "cancel" link that just generated another error.

    Turned out it had taken payment (which I found out from my creditcard records) but not delivered anything. Trying to contact them to sort it out was equally broken. I ended up raising a dispute with the bank over my payment, which the bank accepted when I supplied the above story with detail of my attempts to contact them filled in.

    1. Anonymous Coward
      Anonymous Coward

      Re: Too important to bother?

      I work in the area (infosec) lots of things being pushed politically we "just have to make it happen" and no matter how many red flags are raised regarding data protection etc it's pushed through by those higher up. I have huge concerns around some of the information we are placing on public cloud but I'd be fired for uttering a word publicly. Hence Anon.

      1. Tom Paine
        Thumb Up

        Re: Too important to bother?

        Take a tip from an old pro: put it in writing. Even a polite email heavily obfuscated with technical jargon that only goes to your line manager is enough. It won't stop you getting fired when something goes pop (because "scapegoat" is second on the list of core duties in security, just below "fig leaf") but it should get you a bit more of a payoff when you draw their attention to the warnings they ignored and ask how they'll sound when they're read out at the employment tribunal.

  5. Anonymous Coward
    Anonymous Coward

    Social security numbers

    I typically refuse to give my SSN to health care providers. "(Fuck off.) You don't need it."

    I don't recall if I gave it to Quest, but probably not. I know damn well it's only for the convenience of bill collectors.

  6. Anonymous Coward
    Anonymous Coward

    You are only looking at the "corporate firewall"

    Funny thing about healthcare in America. You can put all the defenses up with HIPAA compliance, but at the end of the day, the weakest link is the Volunteer Fire Department's network connecting in to update EMS records.

    Your Welcome.

    1. Tom Paine

      Re: You are only looking at the "corporate firewall" , if you too are wondering what an EMS is.

  7. c1ue

    Dear Reg (and Shaun Nichols),

    It would have been nice to include whether this incident was related to the Labcorp outage incident last year.

  8. Anonymous Coward
    Anonymous Coward

    Sigh, now have a backlog of 132 years of free credit monitoring accumulated.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like