MARK R. WARNER ous
URBAN AFFAIRS
Wnited States Senate svat
RULES AND ADMINISTRATION
June 5, 2019
Mr. Stephen H. Rusckowski
Chairman, President and Chief Executive Officer
Quest Diagnosties
300 Plaza Drive
Secaucus, NJ 0709
Dear Mr. Rusckowski,
On Monday June 3" it was publicly reported that the data of an estimated 11.9 million of your
customers were exposed by one of your bill collection vendors, American Medical Collection
Agency (ACMA). According to your SEC filing, between August 1“ 2018 and March 30" 2019,
‘an unauthorized user had access to American Medical Collection Agency's systems and data that
included credit card numbers and bank account information, medical information, and other
sensitive personal information like social security numbers. A statement by ACMA noted that
the company was made aware of the breach by a security compliance firm that works with credit
card companies. An internal review was then conducted by ACMA, which took down the web
payments page, and notified law enforcement.
While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems
were breached, I am concemed about your supply chain management, and yout third party
selection and monitoring process. According to a recent report, 20 percent of data breaches in the
health care sector last year were traced to third-party vendors, and an estimated 56 percent of
provider organizations have experienced a third-party breach.' One set of major vendor breaches
in the last year were caused by a third-party administrator for health insurance compani
impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health?
In February of this year I queried a number of health care stakeholders secking input on how we
might improve cybersecurity in the health care industry. As I work with stakeholders to develop
a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector,
I would like more information on your vendor selection and due diligence process, sub-supplier
monitoring, continuous vendor evaluation policies, and what you plan to do about your other
vendors, given the vulnerability and information security failures of this one.
"Third-Party Vendors Behind 20% of Healthcare Data Breaches in 2018.” htps/thaltitsceurity.comvnews/thitd-pary
vvendors-behind-20-of-healtcaresdata-breaches-n-2018; “CybergsTek’s Report Reveals Continued Challenges from Healtheare
Organizations on Cybersecurity Preparation.” htps/insighis.ynergisiek.com/nows’cynergisek-s-report-reveals-ontinued-
challenges-from-healthcare-organizations-on-eyberseeurily-preparation
2 Delaware Officials Say Data Breach Affects Five Companies, 650 Consumers,”
hhups:/aeww.insurancejournal.com/news’east/2019/01/28/515902.himMARK R. WARNER,
FINANCE
BANKING, HOUSING, AND
URBAN AFFAIRS.
United States Senate non
RULES AND ADMINISTRATION
Having long been an advocate for transparency and reporting of data breach information, [
commend your reporting and handling of the breach notification, but I am still concerned with
the third party evaluation and monitoring process.
To gain a better understanding of this situation, I would appreciate answers to the following
questions:
1. Please describe your third-party vendor information security vetting process.
2. Ifyou secure a contract with a third-party to collect information from your customers, do
you have a process for evaluating the standards used by that entity, the sub-supplier, to
secure their information systems?
What are your third-party vendor security and risk assessment requirements?
What are your third-party requirements for how customer information is processed and
stored?
What are your third-party vendor requirements for data encryption?
How are you ensuring that your other third-party vendors like ACMA are not similarly
vulnerable to point of sale malware or other information security vulnerabilities?
‘Thank you for your attention to this important issue. I look forward to your response in the next
two weeks.
Sincerely,
Mok 8 Mune,
Mark R. Warner
United State Senator