February 16, 2017
The Hack in Quest Diagnostics’ Health Data App and The Issue of Patient Privacy Online
Last November, Guest Diagnostics — a medical laboratory based in New Jersey — suffered a major hack through a mobile health app called « MyQuest by Care360 ». According to the company, an « unauthorized third party » accessed the patient information of about 34,000 individuals, including their names, date of birth, telephone numbers, and lab results. In response, Quest Diagnostics notified all affected patients and law enforcement authorities. The company also declared the investigation on the hack was still going on, and that it had taken security steps to address the vulnerability of the app in the future.
Attacks on patient databases have increased dramatically over recent years, both in terms of number and in terms of scale. In 2016 only, hundreds of breaches involving millions of health records were reported to the Department of Health and Human Services. In some cases, the attacks affected a significant portion of the U.S. population. For instance, the hacking of two major health insurers affected over 90 million Americans last year. Several hospitals and health care systems have even been held for ransom by hackers.
While the sensitivity of health data may seem obvious for each concerned individual, its value for cybercriminals is also substantial. In the case of the Quest Diagnostics attack, no misuse of the stolen data has been reported so far. Nevertheless, stolen health data are valuable: they can notably enable cybercriminals to fraudulently bill insurance companies for the purchase of medical equipment or drugs, which can further be resold on black markets.
Health data is also valuable for hackers for an extrinsic reason, namely the relatively low security standards in place that often make hacking feasible. Usually, health records are stored by service providers in huge central databases and are not encrypted. And with the proliferation of social media platforms, wearable devices and other healthcare applications, the numbers of such health-related databased have increased significantly. As a result, the opportunities for hackers have exploded.
Considering the increase in the potential threats to patients’ privacy and the actual number of attacks, many have called for greater regulatory protection for health information processing, including when the information is processed by entities that are not already covered by the HIPAA rules. Some have called for an extension of the scope of the notion of health data, to cover all health-related data, such as information collected by wearable devices or healthcare apps, but also anonymized data when re-identification remains possible. In terms of security, some consider that all entities processing health-related information should be required to encrypt all sensitive data, but also to disaggregate patient or consumer records in separate units. These units could take the form of digital wallets for each patient. This restructuring of health databases would reportedly allow more control by patients on their own medical data, including to consent to its further use by outside organizations for purposes unrelated to patient care (e.g., data analytics, advertising).