Taking Things Seriously

The latest major breach of privacy in the health-care system staggered the public this week as Quest Diagnostics, LabCorp, and their billing collector American Medical Collection Agency (AMCA) revealed that the private records of their customers had been hacked.

In the case of Quest, 11.9 million customers were put at risk; the LabCorp breach involved about 200,000.

This was not a one-time incident. For eight months, an unauthorized user had gained access to customers’ personal information, including credit card numbers, bank accounts and medical and personal information such as Social Security numbers.

Now that the companies realize what has been going on, they have taken appropriate action.

Quest, which operates medical testing centers around the U.S., suspended collections requests to AMCA and is seeking to do damage control, with the assistance of law enforcement agencies.

AMCA issued a statement that while an investigation has begun, it has taken down its web payments page, moved its online payments portal services to a third-party vendor, and retained the services of security experts.

LabCorp announced that it will no longer do business with AMCA.

All the companies involved gave assurances to the public of their earnest efforts to provide secure services:

Quest said it is “taking the situation very seriously,” and is “committed to the privacy and security of our patients’ personal information.” The company also noted that laboratory results were not accessed by the unauthorized user, even if everything else was.

AMCA “remains committed to our system’s security, data privacy, and the protection of personal information,” a spokesperson said. “LabCorp takes data security very seriously, including the security of data handled by vendors,” the company said Tuesday.

Assurances such as these are routine public relations fare,; hardly encouraging and almost entirely beside the point. No one questions the companies’ sincerity or good intentions; what is open to question is the effectiveness of their security systems.

While the companies appeared to come clean, details remained rather sparse. Customers could not yet find out if their accounts had been among those broken into, or, if they were, when. The possibility that other health-care companies had been affected remains to be clarified. Reports of the investigations were vague.

Such data breaches as these have become alarmingly frequent in the health-care sector in recent years.

“Hackers target financial companies, like this billing collection company, as they often store sensitive financial information that can be turned into immediate gains,” Giovanni Vigna, co-founder of security firm Lastline, told The Washington Post. “This kind of information is much more lucrative than personal health information that, at the moment, is not readily marketable by criminals.”

In 2018, health-care providers sustained more damage from cyber-attacks than any other industry, accounting for 25 percent of 750 reported incidents, according to a report from law firm BakerHostetler.

It would seem unfair to blame the companies, though. Like their customers, they and the billing firms are merely victims of a new type of criminal activity, which has proved difficult to prevent or prosecute. After all, it’s not just medical firms, but just about everyone — from the Pentagon to national power grids — that have come under attack in recent years, and the best computer minds in the country have yet to bring the phenomenon under control.

That said, there is nevertheless reason to believe that the health companies really have not been taking the matter seriously enough.

Health systems and hospitals have been falling short in compliance with Health Insurance Portability and Accountability Act (HIPAA) security rules, which sets the standards. A report earlier this year by cybersecurity consulting firm Cynergistek found that health firms had slipped in their security compliance, even as the problem grew worse. Whereas security was rated the sector’s No. 1 priority in 2017, it was down to No. 3 as of 2018.

It seems that a kind of “security fatigue” has set in. The growing sophistication of cyberattacks is relentless, and appears to outstrip the ability of companies to implement countermeasures. Unless, that is, they make a significantly greater investment in security to keep pace with the threat.

The government might be able to help as well. Some health companies have proposed that HIPAA-compliant firms be exempt from the steep penalties incurred for breaches, the rationale being that a company facing such penalties regardless of compliance has little incentive to invest in security. It may not be a cure-all, but it’s something that regulators should consider.

Security fatigue is not a medical condition; it’s a financial one, a cure for which can be found.

But giving up is not an option.