The breach came from American Medical Collection Agency, a debt collector that Quest uses. It's a sad statement on the state of American healthcare that 11.9 million people can't afford to pay their lab bills.
I was able to (and did) pay my $20 lab fee a few years ago, but the billing entity sent it to collections anyway. It took me many months to get it removed from my credit report.
That we have so much fallibility in medical billing is still a sad statement, though.
Collections PSA: Collections is regulated under FDCPA/FCRA. If you as a reader are in a similar situation, please review the the below resources. Do not tolerate misreporting of information to CRAs (credit reporting agencies) by creditors, nor pursuit by collections firms. Do not communicate with phone calls or use apps to dispute. Do use certified mail return receipt for correspondence while building your paper trail. Do demand validation of an alleged debt in a timely fashion. Do file a CFPB complaint and/or consult with an attorney to sue a debt collector when warranted.
"Do demand validation of an alleged debt in a timely fashion"
I did this to a debt collection agency and they became enraged, presumably trying to scare me into allowing them to cut corners. Sure enough I never did get the validation and the collection vanished from my credit report.
There should be a startup or something that you can call to get this taken care of. I bet there are a lot of people with plenty of money and no desire to deal with this stuff.
The people who have these problems rarely have money, in my experience. Have done almost all the work pro bono (which I’m fine with, it just doesn’t scale). These are systemic issues that need addressing. Medical collections should not be a thing. Federal and state law should fiercely protect against abusive creditors and lazy credit reporting agencies.
I'm actually thinking of starting a company to tackle this very issue. You can save ALMOST any patient money, just by getting their information, income levels, debt and sending a letter to the hospital/company. If this fails, lawyer on staff would need to write up a letter.
Medical payments in the US are a joke and laughable. I have a chronic illness, so I gained some experience dealing with those snakes.
Ex 1. I was charged 20k for pre-authorized procedure. After procedure insurance could not agree with the company on the payment, as average payment for such procedure is $1800(according to insurance) and insurance refused to pay. I stressed over it but didn't pay it, I was young and didnt have 20k laying around. I told the company to get lost and invited them to send my account to collections and that I will fight them in court if I had to. 7 years later I received a bill after they agreed with insurance on discounted rate for $300, at that point they started calling me again. It was too late and they could not put it on my credit report, therefore, again I explained that I will not pay as this barely covers time lost dealing with it. Bills stopped coming and they accepted defeat.
Ex.2 Mother was in ER, 40 minutes for abdomen pain. 0 tests, doctor pressed her stomach and gave her high strength Tylenol. Bill total $3500, just absurd IMO.
Parents are lower middle class, I sent a letter with their income, debt and some nice words. Took me about 2 hours tops to come up with it and find where to drop it off. Bill instantly reduced to $350.
Healthcare prices in the US cannot be taken seriously. It is so anti-patient it is unbelievable. Go to ER and get 10 different bills. There is definitely room for a company to come in and represent patients and easily save money.
Plus, patients are OFTEN billed for stuff they didn't not get. The abuse in the industry is insane. You can get double billed, there is also upcoding and unbundling, which results in higher bills.
I don't know if Universal Healthcare is possible in the US. Many people falsely believe US healthcare is the best and facts don't matter. Just look at the current state of US politics.
I had a small lab bill for my daughter (right after she was born) sent to collections because the address they had on file was for a location my daughter had never lived at. My wife and I had moved 2 years prior, and somehow the lab used our old address which they got from ???.
Reason #283942 that our medical system is horrendously broken in the US.
Three kids, pretty sure each one had something related to the birth or pregnancy care end up in collections. We could pay it all no problem and the things that went to collections were usually tiny, medical billing's just completely fucked up.
You get low-hundreds (not an exaggeration) different documents, handed to you and via mail over the course of a year (9ish months + a few after, ends up close to a year), some of which are bills and some of which look like bills but say "this is not a bill" (so... why'd you send it?) and some of which are from your insurance referencing other things and blah blah blah, then you get a few that are clearly a screwup and you call the provider and they're all "LOL no your insurance got it it's fine, ignore that bill" (!?!?! seriously, dafuq, how many people just pay it and do you give them their money back unless they ask?) and of course one of those pieces of paper is gonna slip through the cracks.
Insurances companies get a lot of shit, but the whole medical billing complex is rotten, top to bottom.
American health care is in sad shape, but personally I only know of two Quest patients who were sent to collections, and both were due to incompetent communication between Quest and the insurer.
Great. Yet another one. Can't even just get simple lab diagnostics anymore without having your SSN/CC number harvested... let's all look on in disbelief while these people barely get slapped on the wrist!
Just a reminder to everyone to keep passwords rotated, and to monitor your credit/bank account...
How many more decades of such data breaches is it going to take for organizations to start realizing that SSN's are not a good way to authenticate or identify people (a purpose they were never meant for), and that most people's SSN's have already been compromised?
It wasn't for identification. It was for financial purposes so that the collection agency could find the people.
Never the less it's inexcusable to keep such PIs in an open database without encryption and tight controls. I'm sure they allowed anyone in the company to browse peoples personal info so the leaches could go out to suck blood.
There are very few common identity factors available for these companies. I'd almost be willing to have the US Govt develop a "medical ID number" specifically for this purpose.
But that is THE FUNDAMENTAL problem. No one should be able to impersonate you and open up credit cards in your name simply by knowing your Name, Address, DOB, and SSN. Just as no one should be able to purchase things using your credit card account by knowing your name, credit card number, and expiration date (all of which are printed on the card, which you give to people for B&M purchases). The system is fundamentally broken, and that fact gets ignored by all the focus on "data breaches". At a minimum, we need to move to multifactor authentication and one time use "credit card numbers" generated at the time of the transaction.
And this is a function of power asymmetry. Why is it my problem that a bank issued a credit card to some guy in Romania or Russia who said they were me? It should be their problem unless they can prove it was me who opened the account. But they make it my problem through the enormous power they wield over our ability to participate in society.
If they come looking for the money I supposedly owe them on that account, I should be able to tell them to fuck off and collect from whoever they sent the card to of their own volition.
If they can't figure out whose business they took, maybe they need to reconsider their practices, otherwise they're just giving away money.
Google Pay still offers this. I have a virtual card number that is given to merchants instead of my real CC number. I don't know if this is a feature for all of Google Pay or requires special integration with my particular CC/bank.
We're not solving this unless we can teach all people, even newborns and coma patients, to do 8192-bit RSA in their heads and to generate and remember suitable private keys all in their heads.
If the healthcare industry used medical id numbers instead of SSN's that would help. Better banks should be forced to stop using SSN's completely. And forced to use 2factor. Preferably both.
There is absolutely no technical reason why it should be the case if done properly.
With SIM cards or other hardware devices, your private key is never leaked (if "done properly")
With cryptos like BTC, you can generate many keys from one source of entropy, and treat them as disposable.
I don't see why medical records couldn't be encrypted with a disposable key, given by a hardware device which stores the seed, and only linked to the matching public key.
I wonder if it makes sense for the government (or private sector) to develop an official identity database and provide identity-as-a-service. One which has a public "username" that is unique/permanent and can be freely given out - a private "key"/password that you should never ever hand out to anyone - and physical offices that you can go to with your passport and other evidence, in order to change your password when needed. You could then develop apps or APIs on top of this, in order to authenticate your identity whenever requested by a 3rd party.
In Germany we have identity-as-a-service provided by post offices. You go there with an ID and the form and they send that form with confirmation to where it is needed. It's quite commonly used to open an account with an online bank, for example.
(And I just see that the service is also offered by mailman as well, so they can come to you. Austria and Switzerland have similar services.)
edit: It's quite remarkable how sometimes people online say there should be something, and I'm like, yeah, we have that.. I wonder if it works the other way too. Probably.
If it was separate from your SSN it could only be used for medical records tracking, thus not used for credit things.
The SSN isn't supposed to be used for tracking, but it is anyways...
Exactly. At work I generate different API keys for different purposes, so when/if one gets compromised I can shut it off and generate a new one without all the integrations breaking. Right now SSN is the government's admin/root API key. One compromise and it's game over.
But if my medical ID got stolen I could turn it off and get a new one without invalidating my passport and disqualifying me from a car loan and locking me out of my college transcripts etc.
no, that doesn't solve anything. I could get a new SSN (I can't, but you can imagine I could), but then I need to update everyone who has my old SSN. Your scheme is the same, except slightly less people to notify.
> I'd almost be willing to have the US Govt develop a "medical ID number" specifically for this purpose.
That (along with standard identifiers for health plans and providers, which survived as requirements) was originally part of HIPAA, though it was stripped out.
Where did the third party get the SSNs from if not from Quest, who may not have been "storing" them (permanently), but sufficiently to make sure their collectors could utilize them.
Quest doesn't ask for SSN - I use them for my lab tests. If you're a collection agency you're going to be getting financial records which are going to include SSN (I assume from the financial reporting agencies) and your job is to connect them to the names of delinquent Quest customers.
So Quest has pretty much no blame here - it's the collection agencies that are allowed to buy people's financial records which include SSNs that are the bad guys here.
This is really where it's at. I've got monitoring and am considering the freezing route too. I just never open lines of credit (maybe one every 3-4 years) so it's like why have it open in the first place...!?
Imagine the call fraud now. Hello Mrs Jones I’m calling about the labs you had done last month, CBC, cardiac panel etc., with Dr Bob. I was alerted to make the call because your values are out of normal range and there are critical things I need to review with you. Before we get in to the details I need to first confirm your identity.
—-
Or
—
Your insurance only covered part of the blood labs on the 12th. To release the results to you doctor I need to secure payment today for 189.74.
Name + ICD diagnosis, what a wonderful leak for blackmailers wordwide! (/s)
Seriously, these two pieces of data that are innocent alone, when taken separately (HIV, chlamydia, cancer...) should NEVER have been linked together, ESPECIALLY when given to a third party, EVEN MORE stored together.
I pray it will result in many lawsuits with hefty punitive damages, and that as a consequence private data will be considered a liability to be deleted as early as possible (just like corporate email in many companies)
Good catch. Reading between the lines I took this to mean that lab information was not leaked:
> The system contained sensitive data, including credit card numbers, bank account information, medical information and Social Security numbers, Quest said. Lab results were not provided to AMCA and were not exposed in the breach. AMCA thinks 11.9 million Quest patients were affected as of May 31, 2019, Quest said.
But it only says lab results were not leaked with the extremely generic label of medical information as being leaked. I wonder if "medical information" includes lab codes or what exactly it consists of?
Medical information is likely to be ICD codes for the active diagnosis, and antecedents (history) for this patient.
This is worse than full text medical information because everything is already coded, so you can make some simple algorithms to find crunchy details with a very high specificity.
Billing amounts will correlate with tests administered, so even without lab results a ton could be inferred from a sequence of billing amounts even _without_ ICD codes.
Including the codes removes ambiguity.
If the "allowed" ICD code is linked to the public key, or in the worst case if the patient provides the disposable private key to the insurance for verification (along with PCI like rules forbidding this key to be stored, like credit card expiration date if I remember correctly) this couldn't happen.
It is gross negligence to keep these things together for longer than they need to be. Private data should be seen as a liability.
In the past I've done software for healthcare, happened to learn for the privacy conscious:
You can order anonymous labs for yourself through various online lab resellers. At the lab, you don't need ID, just the order. You will get lab results; you will not get a diagnosis.
Q: How can I keep my “true” identity from HTD, and the clinic, and the lab?
A: Easy -- Don’t give us your phone number or credit card info. Then mail us a money order (a money order does not require your name or signature) for the total amount due for the blood draw and lab analysis. We will e-mail the lab paperwork to you when the money order arrives and email the lab results to you the same day we receive those 2-3 days later. If you want, you can even set up a temporary (and free) “alias” e-mail address at Yahoo! (e.g.,“YourAliasName”@yahoo.com) for the purpose of our email communications with you...
There are two more things we hope that you will feel more comfortable knowing: First, 99.99% of the blood draw centers we send you to will NOT ask for your photo I.D. when you go in for your blood test. And, in the very-very rare event that one should they do so, don’t feel obligated to show it to them. Instead, leave the PSC and immediately call us. We will find you another PSC! Or, keep in mind, that your lab tests results are NEVER sent to or shared with the clinic or its personnel that does your blood draw. Only YOU get your lab results, and NOBODY else. So, if you are asked, and you DO decide to show them your drivers license or other ID, rest assured that they will NEVER see or know the result of your test(s) anyway!
A - Yes, an order can be placed anonymously. The First Name field must start with an alpha or numeric character and the Last Name must be an alpha character. Your correct date of birth and gender are required.
Both of these work with LabCorp and Quest Diagnostics, DuckDuckGo can help you find more.
Nobody should be allowed to hold this amount of sensitive information about customers without paying a large bond to hold that information. It's clear that these companies will not minimize their data collection since storage is practically infinite, so make it cost them so they have an actual reason to care.
If it is a HIPPA violation the fines are deliberately per instance - eg 12 million * (the fine), and I can’t recall whether hippa considers each piece of data a separate violation.
But I think to be a HIPPA violation it would need to have information about what tests are involved - eg just a monetary debt and knowing it came from a lab might be argued as not being a violation?
That said until there are mandatory per-person-per-data-leaked fines, coupled with liability for misuse of that data, companies are just going to continue leaking because they “compensate” people by giving them “free” credit monitoring.
That last bit is great because it only resolves financial service harm, and offloads actually preventing fraud to the victims of these companies.
I tried dealing with Quest recently and gave up. They don't answer their phone or do and hang up. The more I see these breeches, the more it seems like it mostly comes down to someone either implicitly or explicitly making the decision that the costs of customer service (which includes data privacy) aren't worth it.
Quest is one of leading providers of employment and pre-employment drug testing. Their "customers" do not have much choice to avoid them. They are often not "patients" in need of medical care. The tests are often paid for by interested parties like employers. Now I have to assume that because of a drug test required for my background checks, my identity was compromised yet again.
Which politician can make ID data breaches financially ruinous and their concealment criminal?
We send a few thousand life insurance applicants per year to Quest. Quest is the 800 pound gorilla for insurance exam lab work. It’s unfortunate, but alternatives are likely less secure and we’ll continue using Quest.
