WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of a breach to a system used by one of Quest’s contractors.
“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach,” Sen. Warner wrote in his letter to Stephen Rusckowski, Chairman, President and CEO of Quest Diagnostics.
Earlier this year, Sen. Warner sent letters to multiple health care associations and government agencies including the Food and Drug Administration, Department of Health and Human Services, Centers for Medicare and Medicaid Services, and National Institute of Standards and Technology, seeking more information about steps being taken to reduce cyber vulnerabilities in the health care industry, which has become a growing target for cyberattackers. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care sector, and conveyed his desire to work alongside stakeholders to develop strategies that strengthen information security.
In today’s letter to Quest, Sen. Warner asked the company to provide additional information regarding the breach and the company’s processes for selecting and monitoring sub-contractors and vendors.
The full text of the letter appears below. A copy of the letter is available here.
Mr. Stephen H. Rusckowski
Chairman, President and Chief Executive Officer
500 Plaza Drive
Secaucus, NJ 0709
Dear Mr. Rusckowski,
On Monday June 3rd it was publicly reported that the data of an estimated 11.9 million of your customers were exposed by one of your bill collection vendors, American Medical Collection Agency (ACMA). According to your SEC filing, between August 1st 2018 and March 30th 2019, an unauthorized user had access to American Medical Collection Agency’s systems and data that included credit card numbers and bank account information, medical information, and other sensitive personal information like social security numbers. A statement by ACMA noted that the company was made aware of the breach by a security compliance firm that works with credit card companies. An internal review was then conducted by ACMA, which took down the web payments page, and notified law enforcement.
While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach. One set of major vendor breaches in the last year were caused by a third-party administrator for health insurance companies, and impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health.
In February of this year I queried a number of health care stakeholders seeking input on how we might improve cybersecurity in the health care industry. As I work with stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector, I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies, and what you plan to do about your other vendors, given the vulnerability and information security failures of this one.
Having long been an advocate for transparency and reporting of data breach information, I commend your reporting and handling of the breach notification, but I am still concerned with the third party evaluation and monitoring process.
To gain a better understanding of this situation, I would appreciate answers to the following questions:
1. Please describe your third-party vendor information security vetting process.
2. If you secure a contract with a third-party to collect information from your customers, do you have a process for evaluating the standards used by that entity, the sub-supplier, to secure their information systems?
3. What are your third-party vendor security and risk assessment requirements?
4. What are your third-party requirements for how customer information is processed and stored?
5. What are your third-party vendor requirements for data encryption?
6. How are you ensuring that your other third-party vendors like ACMA are not similarly vulnerable to point of sale malware or other information security vulnerabilities?
Thank you for your attention to this important issue. I look forward to your response in the next two weeks.
Mark R. Warner
United State Senator