Recent breaches at vendors for Quest Diagnostics and LabCorp have exposed both payment and health data, a very dangerous combination.
The risk comes from the range of insurance, health and financial services exposure. These incidents demonstrate the continuing trend of attacking vendors to gain access to the broadest possible range of valuable personal information.
A recent study by Carbon Black indicates the most valuable offering on the Dark Web today is health care information combined with personal financial data.
The breach announced by
There may also be some regulatory exposure for the health care companies. Under the HIPAA Omnibus Rule Business Associates have specific obligations to protect personal health information, and Covered Entities (in this case Quest) is required to conduct appropriate due diligence to ensure that their Business Associate has the required data security protections in place.
Perhaps the most troubling aspect of breached health care information is that there is no mechanism in place to prevent its misuse. Action can be taken to freeze information at credit bureaus and indicate that financial information has been compromised.
In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised. However, no such centralized process exists for health care or insurance information, making it extremely difficult to prevent the unauthorized use of this information.
