Menendez Presses Quest for Answers after Data Breach Impacts 12M Patients

Menendez Presses Quest for Answers after Data Breach Impacts 12M Patients

Senator stresses need to protect patients’ private, medical information

 

WASHINGTON, D.C. – U.S. Senator Bob Menendez (D-N.J.) sent a formal inquiry today to New Jersey-based Quest Diagnostics seeking answers from the company after it was revealed that a data breach compromised the personal, financial and medical information of an estimated 12 million patients.

“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” wrote Sen. Menendez in a letter to Quest CEO XXXXXX.  “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises.  Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”

Sen. Menendez has authored a package of consumer protection bills aimed at safeguarding Americans’ personal informationfrom data breaches and holding accountable those companies who fail to do so.

“We need to understand exactly how this breach happened and how it impacts patients.  We must also ensure that entities with access to patients’ personal, medical, and financial information understand their role in protecting patients and are taking both immediate and longer-term steps to mitigate this harm,” the letter continued.

Sen. Menendez has consistently led the response to massive corporate data breaches, including at Target, eBay, Home Depot, Equifax, and others.  He led the call for Senate hearings into the Equifax breachurged a top-to-bottom review of all three major credit reporting agencies, and joined a bipartisan group of 34 senators calling for investigations by the Securities and Exchange Commission (SEC), Department of Justice (DOJ) and Federal Trade Commission (FTC) into stock sales and potential insider trading.

The full text of the letter follows and can be downloaded here.

June 4, 2019

We write in response to reports that there is a seven-month-old data breach involving Quest Diagnostics’s partner, the American Medical Collection Agency (AMCA). We are deeply concerned that this breach compromised the personal, financial, and medical information of nearly 12 million Quest Diagnostics Inc. patients.

As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk. The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed. 

We need to understand exactly how this breach happened and how it impacts patients. We must also ensure that entities with access to patients’ personal, medical, and financial information understand their role in protecting patients and are taking both immediate and longer-term steps to mitigate this harm. In light of these concerns, we ask that you please provide responses to the following:

  1. Provide a detailed timeline of the breach, including when it began, its discovery, any investigation of its scope and source, notification to authorities, efforts to notify patients, and notification to Quest Diagnostics’s senior executives. 
  2. Please describe Quest Diagnostics’s efforts to identify the scope of affected patients and breadth of information compromised.
  3. What steps has Quest Diagnostics taken to identify and limit potential patient harm associated with this breach?
  4. Does Quest Diagnostics plan to provide notice to each affected consumer, or will it rely on a consumer-initiated checks to inform them?
  5. Does Quest Diagnostics have procedures in place to receive and act on vulnerability reports?
    1. If so, please describe these procedures, when they were implemented, and how frequently the company acts to remediate vulnerabilities.
    2. When Quest Diagnostics was first notified of a potential breach by AMCA on May 14, 2019, what immediate steps did it take to protect patient’s information?
  6. What processes does Quest Diagnostics have in place to ensure that the companies it outsources patient information to responsibly protect their patients’ information?
  7. What new processes will Quest Diagnostics implement to better monitor the information and data security of the companies to which it outsources patient information?
  8. Please explain how the breach persisted for seven months without awareness from Quest Diagnostics?
  9. Please describe the resources that Quest Diagnostics dedicates to information and data security.
    1. Does Quest Diagnostics employ a Chief Information Security officer? If so, to whom does this person report?
    2. Is anyone at Quest Diagnostics responsible for evaluating the information and data security of the companies and to which it outsources patient information?
    3. How many full-time employees at Quest Diagnostics focus on information and data security?
  10. During the past seven months of the breach, how many times has Quest Diagnostics conducted a security test which evaluates both Quest Diagnostics’s systems as well as the systems of any companies it outsources to? 

We request that Quest Diagnostics respond to this request no later than XXX. Thank you for your prompt attention to this important issue.

Sincerely,

 

###

Press Contact

Steven_Sandberg@menendez.senate.gov