The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Democrats push for answers on medical lab breaches

Placeholder while article actions load

with Tonya Riley


Democratic senators are pressing for answers about a data breach that has affected at least 20 million patients from three different medical testing labs.

The senators want to know what those testing labs did to vet the security protections of the bill collection agency that suffered the breach and how the breach was able to continue for eight months before they learned about it, according to a flurry of letters from Sens. Robert Menendez (N.J.), Cory Booker (N.J.) and Mark R. Warner (Va.).

And in a letter to the bill collector, American Medical Collection Agency, that’s going out this morning, Menendez and Booker will demand to know whether any other companies were victimized by the breach and what cybersecurity protections the company had in place, according to a copy shared with me.

“Patients have a right to expect nothing more from laboratory testing than accurate results and a fair bill,” the letter states. “A risk of identity theft should not be part of their testing experience.”

Quest Diagnostics, at which nearly 12 million patients had their data compromised, including sensitive medical information, is based in New Jersey, the home state of Menendez and Booker. That breach did not include lab results, Quest said.

The 20 million people impacted by breach at the three medical labs is a huge number — but it’s dwarfed by some of the mega breaches in recent years. For scale: The 2017 breach at credit ratings agency Equifax saw the compromise of personal information of more than 140 million Americans. The largest hack of medical data was at the health insurer Anthem in 2014 and affected 78 million people. The Justice Department indicted a Chinese hacking group for that breach last month. 

The fact that this breach included medical data in at least one case will help to focus public attention on it and could push Congress to make some reforms to the standards companies must meet when they handle people’s personal information. 

“That it was a medical vendor, that will upset people,” Michelle Richardson, director of the Center for Democracy and Technology’s Data and Privacy Project, told me. “Stories like this keep piling up and it slowly increases the pressure.” 

Lawmakers may even try to link heightened data security standards to privacy legislation that Congress is likely to consider this year after major controversies about top tech companies improperly sharing user data, Richardson said. Companies are generally bound by loose Federal Trade Commission rules about how securely they must protect customer data and by a patchwork of state laws about how and when have to notify customers about a breach. Health companies are bound by more stringent laws focused on patient privacy.

But getting a bipartisan agreement on improved data security protections will be a tall order given opposition from industry, which has historically argued against strict security standards.

Lawmakers introduced a slew of major data protection bills in the wake of the Equifax breach — which affected roughly 40 percent of the United States population — but none of them became law.

In the case of the medical labs, the breach exposed personal and financial data, such as addresses, credit card numbers and banking information of patients at Quest, LabCorp and Opko Health. The breach at Quest was bigger and also included medical data and Social Security numbers.

AMCA shut down the Web payment portal that was breached and alerted law enforcement, the company told me in a statement. The company is also purchasing two years of free credit monitoring for anyone whose Social Security number or credit card information was compromised, the statement said.

Those efforts to clean up after the breach were insufficient, though, for Menendez and Booker, who are demanding a slew of information about the company’s security practices, including how often it audits vulnerabilities in its technology systems, how large its cybersecurity staff is and whether it has a chief cybersecurity officer.

“We must ensure that entities with access to patients’ personal, medical, and financial information understand their heightened duty to protect both the patient and their sensitive information, and that your company is taking both immediate and long-term steps to mitigate any harm,” the letter states.


PINGED: Google executives are asking the Trump administration to exempt the company from a ban on supplying software and components to the Chinese telecom Huawei, the Financial Times’s Kiran Stacey and James Politi report.  

“Google in particular is concerned it would not be allowed to update its Android operating system on Huawei’s smartphones, which it argues would prompt the Chinese company to develop its own version of the software,” the Financial Times reported. And “Google argues a Huawei-modified version of Android would be more susceptible to being hacked.”

The Trump administration imposed the ban last month following years of concern that Huawei technology could be used as a spying tool by the Chinese government. The administration also banned Huawei from supplying parts for the United States’ next-generation 5G wireless networks and has been urging allies to do the same.

“Google has been arguing that by stopping it from dealing with Huawei, the U.S. risks creating two kinds of Android operating system: the genuine version and a hybrid one. The hybrid one is likely to have more bugs in it than the Google one, and so could put Huawei phones more at risk of being hacked, not least by China,” according to a person “with knowledge of the conversations” who spoke with Stacey and Politi.

Facebook, meanwhile, has suspended pre-installation of its apps on Huawei phones, Reuters's Katie Paul reported

PATCHED: Federal election commissioners reversed course Thursday and appear ready to approve a small company to offer political campaigns free cybersecurity services — a move they previously suggested would be an illegal campaign contribution.

A key point that changed commissioners’ minds was the company Area 1 Security’s argument that it will get a major benefit from the free services that has nothing to do with currying political favor — it will get to study the tactics of some of the most sophisticated hackers from Russia and China as they target American political campaigns. Then it can use that data to better protect its other customers.

“The stakes are very high. These are some of the most heavily hacked people around,” Area 1’s lawyer Daniel Petalas told me. 

With both lawmakers and candidates concerned that Russia, China and other nation-states will exploit cybersecurity vulnerabilities in 2020, private companies and nonprofits have been stepping up to offer their services to campaigns. Last month, the commission issued an opinion that approved the use of free cybersecurity services from the nonprofit Defending Digital Campaigns. But commissioners are more concered that free services from the private sector will result in influence peddling.

The commissioners haven’t totally signed off on Area 1’s request yet, but they invited the company to write a new request that they’ll consider at a future meeting.

PWNED: The dark web economy where criminals can buy stolen data from Fortune 400 companies and tools to hack those companies is booming, according to a report released Thursday by the company Bromium.

The study authors found dark web vendors touting tools that claimed to grant access to data at Bank of America, Qatar National Bank, and a host of other high-profile companies for as little as $10.

Nearly 35 percent of the hacking tools for sale in the shady online marketplaces that are segregated from the World Wide Web targeted financial services companies, the report found.

Gregory Webb, chief executive of Bromium, the company that underwrote the study, described the dark web as a “veritable candy store” of “bespoke malware, access to corporate networks, and targeted corporate espionage services.”

The Justice Department has tried to crack down on dark web marketplaces — which have also been a haven for illegal drugs and child pornography — but the market for stolen data and hacking tools has largely remained unscathed. The Bromium study showed that dark web listings for tools to hack financial-services firms have increased 20 percent over the past three years

Here’s more on the report from Cyberscoop's Jeff Stone.


Cybersecurity news from the public sector:

Nuclear energy regulators need to bring on more cyber experts, watchdog says (Nextgov)

How a phone scam tied up a Maryland police call center (Axios)

NGA selects six states for election cybersecurity policy academy (StateScoop)

Election rules are an obstacle to cybersecurity of presidential campaigns (The New York Times)


Cybersecurity news from the private sector:

Image-Recognition Technology May Not Be as Secure as We Think (Wall Street Journal)

Google confirms that advanced backdoor came preinstalled on Android devices (Ars Technica)

Fortune 500 giant Tech Data exposed customer and billing data (TechCrunch)

A backdoor in Optergy tech could remotely shut down a smart building ‘with one click’ (TechCrunch)


Cybersecurity news from abroad:

'Shoddy' Huawei needs to raise its game, UK cyber official says (Reuters)

Canada elections chief says hackers aim to keep people from voting (Reuters)

Privacy watchdog criticizes Cathay Pacific over 2018 data breach (Reuters)

China 'behind' huge ANU hack amid fears government employees could be compromised (The Sydney Morning Herald)


Listen for the log-in: Hackers may glean your password by listening to how you type on your phone (Hamza Shaban)


-- Sen. Ron Wyden (D-Ore.) is finding a creative new way to advocate for election security reforms: