MARK R. WARNER ous URBAN AFFAIRS Wnited States Senate svat RULES AND ADMINISTRATION June 5, 2019 Mr. Stephen H. Rusckowski Chairman, President and Chief Executive Officer Quest Diagnosties 300 Plaza Drive Secaucus, NJ 0709 Dear Mr. Rusckowski, On Monday June 3" it was publicly reported that the data of an estimated 11.9 million of your customers were exposed by one of your bill collection vendors, American Medical Collection Agency (ACMA). According to your SEC filing, between August 1“ 2018 and March 30" 2019, ‘an unauthorized user had access to American Medical Collection Agency's systems and data that included credit card numbers and bank account information, medical information, and other sensitive personal information like social security numbers. A statement by ACMA noted that the company was made aware of the breach by a security compliance firm that works with credit card companies. An internal review was then conducted by ACMA, which took down the web payments page, and notified law enforcement. While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concemed about your supply chain management, and yout third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach.' One set of major vendor breaches in the last year were caused by a third-party administrator for health insurance compani impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health? In February of this year I queried a number of health care stakeholders secking input on how we might improve cybersecurity in the health care industry. As I work with stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector, I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies, and what you plan to do about your other vendors, given the vulnerability and information security failures of this one. "Third-Party Vendors Behind 20% of Healthcare Data Breaches in 2018.” htps/thaltitsceurity.comvnews/thitd-pary vvendors-behind-20-of-healtcaresdata-breaches-n-2018; “CybergsTek’s Report Reveals Continued Challenges from Healtheare Organizations on Cybersecurity Preparation.” htps/insighis.ynergisiek.com/nows’cynergisek-s-report-reveals-ontinued- challenges-from-healthcare-organizations-on-eyberseeurily-preparation 2 Delaware Officials Say Data Breach Affects Five Companies, 650 Consumers,” hhups:/aeww.insurancejournal.com/news’east/2019/01/28/515902.himMARK R. WARNER, FINANCE BANKING, HOUSING, AND URBAN AFFAIRS. United States Senate non RULES AND ADMINISTRATION Having long been an advocate for transparency and reporting of data breach information, [ commend your reporting and handling of the breach notification, but I am still concerned with the third party evaluation and monitoring process. To gain a better understanding of this situation, I would appreciate answers to the following questions: 1. Please describe your third-party vendor information security vetting process. 2. Ifyou secure a contract with a third-party to collect information from your customers, do you have a process for evaluating the standards used by that entity, the sub-supplier, to secure their information systems? What are your third-party vendor security and risk assessment requirements? What are your third-party requirements for how customer information is processed and stored? What are your third-party vendor requirements for data encryption? How are you ensuring that your other third-party vendors like ACMA are not similarly vulnerable to point of sale malware or other information security vulnerabilities? ‘Thank you for your attention to this important issue. I look forward to your response in the next two weeks. Sincerely, Mok 8 Mune, Mark R. Warner United State Senator