U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of breach to a system used by one of Quest’s contractors.
U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of breach to a system used by one of Quest’s contractors.
U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote to the CEO of Quest Diagnostics, asking for information on the company’s supply chain management and cybersecurity practices after the company reported on Monday that approximately 11.9 million Quest patients may have been compromised as a result of breach to a system used by one of Quest’s contractors.
MARK R. WARNER, commas
‘inainia NAN
‘BANKING, HOUSING, AND
United States Senate a
WASHINGTON, DC 20510-4608 InvTELUGEN
RULES AND ADMINISTRATION
June 5, 2019
Mr. Stephen H. Rusckowski
Chairman, President and Chief Executive Officer
Quest Diagnostics
500 Plaza Drive
Secaucus, NJ 0709
Dear Mr. Rusckowski,
On Monday June 3 it was publicly reported that the data of an estimated 11.9 million of your
customers were exposed by one of your bill collection vendors, American Medical Collection
Agency (ACMA). According to your SEC filing, between August 1*'2018 and March 30 2019,
an unauthorized user had access to American Medical Collection Agency’s systems and data that
included credit card numbers and bank account information, medical information, and other
sensitive personal information like social security numbers. A statement by ACMA noted that
the company was made aware of the breach by a security compliance firm that works with credit
card companies. An internal review was then conducted by ACMA, which took down the web
payments page, and notified law enforcement.
While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems
were breached, I am concemed about your supply chain management, and your third party
selection and monitoring process. According to a recent report, 20 percent of data breaches in the
health care sector last year were traced to third-party vendors, and an estimated 56 percent of
provider organizations have experienced a third-party breach.' One set of major vendor breaches
in the last year were caused by a third-party administrator for health insurance companies, and
impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health?
In February of this year I queried a number of health care stakeholders seeking input on how we
might improve cybersecurity in the health care industry. As I work with stakeholders to develop
a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector,
I would like more information on your vendor selection and due diligence process, sub-supplier
monitoring, continuous vendor evaluation policies, and what you plan to do about your other
vendors, given the vulnerability and information security failures of this one.
' “Third-Party Vendors Behind 20% of Healthcare Data Breaches in 2018." htps:/tialtitsceurity.com/newsMthitd-party-
vvendors-behind-20-of-healthcare-data-breaches-in-2018; “CybergisTek’s Report Reveals Continued Challenges from Healthcare
Organizations on Cybersecurity Preparation.” htps/insighis.eynergistek cor news’ eynergistek-s-report-revealscontinaed-
challenges-from-healtheare-organizations-on-eybersecurity-preparation
2 "Delaware Officials Say Data Breach Affects Five Companies, 650 Consumers,”
Inups:/www.insurancejoural.convnews‘easv/2019/01/28/515902.him
Dtpuwarneraanat.govMARK R. WARNER, mes
BANKING, HOUSING, AND
TURBAN AFFAIRS
ty States Sena
Having long been an advocate ue abet ring asta breach information, | "°°"
commend your reporting and handling’ of'the bredct fidtifiGdtion, but [ am still concemed With!"
the third party evaluation and monitoring process. RULES ANO AoMiussTRATION
gain a better understanding of this situation, I would appreciate answers to the following
questions
1, Please describe your third-party vendor information security vetting process.
2. Ifyou secure a contract with a third-party to collect information from your customers, do
you have a process for evaluating the standards used by that entity, the sub-supplier, to
secure their information systems?
What are your third-party vendor security and risk assessment requirements?
4. What are your third-party requirements for how customer information is processed and
stored?
What are your third-party vendor requirements for data encryption?
6. How are you ensuring that your other third-party vendors like ACMA are not similarly
vulnerable to point of sale malware or other information security vulnerabilit
‘Thank you for your attention to this important issue. I look forward to your response in the next
two weeks.
United State Senator