You are on page 1of 2
MARK R. WARNER, commas ‘inainia NAN ‘BANKING, HOUSING, AND United States Senate a WASHINGTON, DC 20510-4608 InvTELUGEN RULES AND ADMINISTRATION June 5, 2019 Mr. Stephen H. Rusckowski Chairman, President and Chief Executive Officer Quest Diagnostics 500 Plaza Drive Secaucus, NJ 0709 Dear Mr. Rusckowski, On Monday June 3 it was publicly reported that the data of an estimated 11.9 million of your customers were exposed by one of your bill collection vendors, American Medical Collection Agency (ACMA). According to your SEC filing, between August 1*'2018 and March 30 2019, an unauthorized user had access to American Medical Collection Agency’s systems and data that included credit card numbers and bank account information, medical information, and other sensitive personal information like social security numbers. A statement by ACMA noted that the company was made aware of the breach by a security compliance firm that works with credit card companies. An internal review was then conducted by ACMA, which took down the web payments page, and notified law enforcement. While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concemed about your supply chain management, and your third party selection and monitoring process. According to a recent report, 20 percent of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56 percent of provider organizations have experienced a third-party breach.' One set of major vendor breaches in the last year were caused by a third-party administrator for health insurance companies, and impacted Highmark BCBS, Aetna, Emblem Health, Humana, and United Health? In February of this year I queried a number of health care stakeholders seeking input on how we might improve cybersecurity in the health care industry. As I work with stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector, I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies, and what you plan to do about your other vendors, given the vulnerability and information security failures of this one. ' “Third-Party Vendors Behind 20% of Healthcare Data Breaches in 2018." htps:/ vvendors-behind-20-of-healthcare-data-breaches-in-2018; “CybergisTek’s Report Reveals Continued Challenges from Healthcare Organizations on Cybersecurity Preparation.” htps/insighis.eynergistek cor news’ eynergistek-s-report-revealscontinaed- challenges-from-healtheare-organizations-on-eybersecurity-preparation 2 "Delaware Officials Say Data Breach Affects Five Companies, 650 Consumers,” Inups:/www.insurancejoural.convnews‘easv/2019/01/28/515902.him MARK R. WARNER, mes BANKING, HOUSING, AND TURBAN AFFAIRS ty States Sena Having long been an advocate ue abet ring asta breach information, | "°°" commend your reporting and handling’ of'the bredct fidtifiGdtion, but [ am still concemed With!" the third party evaluation and monitoring process. RULES ANO AoMiussTRATION gain a better understanding of this situation, I would appreciate answers to the following questions 1, Please describe your third-party vendor information security vetting process. 2. Ifyou secure a contract with a third-party to collect information from your customers, do you have a process for evaluating the standards used by that entity, the sub-supplier, to secure their information systems? What are your third-party vendor security and risk assessment requirements? 4. What are your third-party requirements for how customer information is processed and stored? What are your third-party vendor requirements for data encryption? 6. How are you ensuring that your other third-party vendors like ACMA are not similarly vulnerable to point of sale malware or other information security vulnerabilit ‘Thank you for your attention to this important issue. I look forward to your response in the next two weeks. United State Senator