back to article You. Quest and LabCorp. Explain these medical database super-hacks, say US senators as 425,000 more people hit

As healthcare companies come forward to confirm hackers would have been able to access millions of patients' personal information from a compromised American Medical Collections Agency (AMCA) database, US senators are demanding answers. Quest Diagnostics was yesterday on the receiving end of an open letter (PDF) issued by …

  1. This post has been deleted by its author

    1. elDog

      Re: We'll see a "Your privacy is of utmost importance" and "No critical information was released"

      I feel like a fool, a comfortable position to be in.

      I can't seem to delete a duplicate posting without bolluxing even more of this site.

      One would think that after 20-30 years of playing around with forums and other boardy things that we'd have come up with a fool-proof way to deal with fools like me.

      Or is everything still home-invented and quaint?

      1. Killfalcon Silver badge

        Re: We'll see a "Your privacy is of utmost importance" and "No critical information was released"

        I've seen forums implement hashing to catch double-posts, but the simplest was "if same user makes two posts in the same 'thread' within X minutes, merge them".

        1. GnuTzu Silver badge

          Re: We'll see a "Your privacy is of utmost importance" and "No critical information was released"

          ...and others that limit rate of submissions, presumably to prevent bot flooding the chat.

  2. elDog

    "Your privacy is of utmost importance" and "No critical information was released"

    etc., etc.

    They won't even have any idea of what was stolen. They'll pretend that their audit logs didn't show any leaks.

    If they had real auditing in place the leaks would have been detected during normal log auditing cycles (hourly, daily).

    Obviously security is not as important as the bottom line and the C-suite salaries.

    Won't improve until these C-suite types get jailed and massively fined - personally.

    1. MachDiamond Silver badge

      Re: "Your privacy is of utmost importance" and "No critical information was released"

      "Won't improve until these C-suite types get jailed and massively fined - personally."

      Nail, meet hammer.

      The big paycheck should be balanced with oversized responsibility. Yes, you could be compensated in the millions per year as a Cxx, but you could wind up spending a decade locked up for being a cheap screw. Wouldn't it be worth it to sacrifice one million of that salary for 8 good, fully supported IT experts to prevent being uncomfortably confined?

  3. a_yank_lurker Silver badge

    Solution?

    I heard about this fiasco indirectly. What I understood was AMCA screwed the pooch and Quest was caught as someone in the middle. This highlights a problem of outsourcing some of your operations. You are now at the mercy of a potentially unreliable third party. This should be a wake up call, if you want to protect customer/client information you should be very wary of releasing it to third parties. If that means bringing some activities back inhouse and onshore, then do it.

    1. Wellyboot Silver badge

      Re: Solution?

      I'm sure that as Quest, Labcorp & Opko all have 'We take your privacy seriously' notices plastered about the place they'll have undertaken a detailed security audit of the AMCA operation before trusting them with any data. The 'It wasn't us' line doesn't absolve them and I assume AMCA does business with many other companies so why have only these three put their hands up to a breach.

      FBI investigators looking into the audit & security process of all parties would I'm sure bring about some very quick improvements.

      We really need a Déjà vu icon.

      1. Doctor Syntax Silver badge

        Re: Solution?

        It's the consequence of a casual attitude to passing data around. The EU has been trying to get this under control for years but it's difficult when US corporations get involved in the chain and we get the likes of Safe Harbor and the Security Figleaf.

  4. Pascal Monett Silver badge

    "two years of credit and identity theft monitoring"

    Could somebody please tell me if that is actually of any use ? I have the feeling that it is just a polite band-aid to make you go away and keep quiet.

    1. MachDiamond Silver badge

      Re: "two years of credit and identity theft monitoring"

      It's a sticking plaster of epic proportions (over a gaping wound). While somebody might not be able to open new credit in your name, it's more information about you in a black database that can be used in other ways to separate you from your money. People get money stolen from man in the middle email spoofing on real estate transactions and that's not covered by anyone. The more information the baddies have, the easier it is to convince a third party that they are you or they are somebody you are dealing with on a transaction such as buying a home or business.

      Credit monitoring doesn't always work either. Some of those "angels" are to blame for leaks.

  5. Crisp

    "two years of credit and identity theft monitoring service free of charge"

    It sounds like they are helping.

    But they are really not.

  6. Mephistro Silver badge
    Unhappy

    I'd bet that...

    ... all those stolen records, whatever their real number is, have already been sold "under the table" to medical insurance and credit companies, because, you know, capitalism.

    For many people, in many senses, this could be even worse than identity theft.

  7. ThatOne Silver badge
    Devil

    What a time to be a credit monitoring company!

    My, just lean back and let the dough roll in. Clients running down your door, begging you to take their money for fear to lose even more...

  8. Doctor Syntax Silver badge

    "two years of credit and identity theft monitoring service free of charge."

    Two years? How about for life - always assuming the monitoring service can be trusted to be secure?

  9. Henry Wertz 1 Gold badge

    even worse

    Even worse, LabCorp is one of those places where employers who require piss tests ("pre employment drug screening") require people to go there to get it done. So a bunch of these people who have their info leaked probably didn't even go there by real choice or for legitimate medical workers.

    1. A random security guy Bronze badge

      Re: even worse

      Wow!!! So they probably have records of people who failed drug or HIV tests.

      1. Wellyboot Silver badge

        Re: even worse

        Only the financial details should have been compromised. (and that's bad enough) AMCA don't need access to any medical details to chase payments.

        Anything beyond 'You owe $amount$ for medical services provided by $provider$ at $location$ on $date$' is completely out of scope.

  10. A random security guy Bronze badge

    They. Don't. Care.

    Neither the execs nor the major stockholders nor the politicians really care. They look at bottom line numbers. Execs' bottom line is their bonus and options, the stock holders for revenue numbers, and the politicians for the PAC donations.

    They give lip-service to security. Even Intel's now Ex-CEO (Brian K) doesn't go to prison. Equifax? The less said the better.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020