The hack has also renewed warnings about the cybersecurity risks from third-party vendors. Opko Health Inc. recently joined rivals Quest Diagnostics Inc. and Laboratory Corporation of America Holdings in disclosing being informed of unauthorized access to customer data held by American Medical Collection Agency (AMCA). As Reuters reports, the AMCA breach is thought to have affected 422,600 customers of Opko Health, compared to 11.9 million of Quest and 7.7 million of LabCorp.
Quest has already been hit with a putative class action over the breach, which compromised Social Security numbers, medical data and baking details. The lawsuit on behalf of customers was filed in New Jersey federal court, reports Law360.
Leaders in Congress are also asking questions about the incident, reports Bloomberg. Three U.S. Senators—Bob Menendez and Cory Booker (both D-N.J.), along with Mark Warner (D.-Va.)—wrote to Quest. In one letter, Warner noted, “I am concerned about your supply chain management, and your third party selection and monitoring process.” Separately, Mendendez and Booker called on the New Jersey-based company for more information about its response to the breach.
Elsewhere, Michigan Attorney General Dana Nessel sent letters to Quest, AMCA and a third company, Optum30, which contracted with AMCA as a service provider to Quest. “This data breach is yet another example of how fragile our information infrastructure is, and how vulnerable all of us are to cyber hacking,” Nessel said, as local Fox 47 News reports.
Third-party vendor breaches are not unique to healthcare. As CPO Magazine reports, Pyramid Hotel Group—a lodging management group that provides service to several well-known hotel chains—recently discovered a breach of its security logs, potentially helping hackers compromise security at these hotel chains in the future.
A Security Boulevard blog post advises that organizations can help ensure the cybersecurity of their third-party vendors by routinely evaluating vendors, conducting regular security audits and controlling what vendors can access.