Menendez, Booker Press Quest for Answers after Data Breach Impacts 12M Patients

Senators stress need to protect patients’ private, medical information

WASHINGTON, D.C. – U.S. Senators Bob Menendez and Cory Booker (both D-N.J.) sent a formal inquiry today to New Jersey-based Quest Diagnostics seeking answers from the company after it was revealed that a data breach compromised the personal, financial and medical information of an estimated 12 million patients.

“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” wrote Sens. Menendez and Booker in a letter to Quest Chairman, President and CEO Stephen Rusckowski.  “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises.  Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”

Sen. Menendez has authored a package of consumer protection bills aimed at safeguarding Americans’ personal information from data breaches and holding accountable those companies who fail to do so.

“We need to understand exactly how this breach happened and how it impacts patients.  We must also ensure that entities with access to patients’ personal, medical, and financial information understand their role in protecting patients and are taking both immediate and longer-term steps to mitigate this harm,” the letter continued.

Sen. Menendez has consistently led the response to massive corporate data breaches, including at Target, eBay, Home Depot, Equifax, and others.  He led the call for Senate hearings into the Equifax breach, urged a top-to-bottom review of all three major credit reporting agencies, and joined a bipartisan group of 34 senators calling for investigations by the Securities and Exchange Commission (SEC), Department of Justice (DOJ) and Federal Trade Commission (FTC) into stock sales and potential insider trading.

The full text of the letter follows and can be downloaded here.

June 5, 2019

Dear Mr. Rusckowski:

We write in response to reports that there has been a seven months-long data breach involving Quest Diagnostics’s partner, the American Medical Collection Agency (AMCA). We are deeply concerned that this breach compromised the personal, financial, and medical information of nearly 12 million Quest Diagnostics Inc. patients.

As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk. The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.

We need to understand exactly how this breach happened and how it impacts patients. We must also ensure that entities with access to patients’ personal, medical, and financial information understand their role in protecting patients and are taking both immediate and longer-term steps to mitigate this harm. In light of these concerns, we ask that you please provide responses to the following:

1. Provide a detailed timeline of the breach, including when it began, its discovery, any investigation of its scope and source, notification to authorities, efforts to notify patients, and notification to Quest Diagnostics’s senior executives.

2. Please describe Quest Diagnostics’s efforts to identify the scope of affected patients and breadth of information compromised.

3. What steps has Quest Diagnostics taken to identify and limit potential patient harm associated with this breach?

4. Does Quest Diagnostics plan to provide notice to each affected consumer, or will it rely on a consumer-initiated checks to inform them?

5. Does Quest Diagnostics have procedures in place to receive and act on vulnerability reports?
   1. If so, please describe these procedures, when they were implemented, and how frequently the company acts to remediate vulnerabilities.
   2. When Quest Diagnostics was first notified of a potential breach by AMCA on May 14, 2019, what immediate steps did it take to protect patient’s information?

6. What processes does Quest Diagnostics have in place to ensure that the companies it outsources patient information to responsibly protect their patients’ information?

7. What new processes will Quest Diagnostics implement to better monitor the information and data security of the companies to which it outsources patient information?

8. Please explain how did the breach persisted for seven months without awareness from Quest Diagnostics?

9. Please describe the resources that Quest Diagnostics dedicates to information and data security.
   1. Does Quest Diagnostics employ a Chief Information Security officer? If so, to whom does this person report?
   2. Is anyone at Quest Diagnostics responsible for evaluating the information and data security of the companies and to which it outsources patient information?
   3. How many full-time employees at Quest Diagnostics focus on information and data security?

10. During the past seven months of the breach, how many times has Quest Diagnostics conducted a security test which evaluates both Quest Diagnostics’s systems as well as the systems of any companies it outsources to?

We request that Quest Diagnostics respond to this request no later than June 14, 2019. Thank you for your prompt attention to this important issue.

Sincerely,