Quest Diagnostics Breach - Managing 3rd Party Risk

Breach Report

Miami, Florida
June 5, 2019

UPDATE: Retrieval-Masters Creditors Bureau, the parent company of the third-party billing company American Medial Collection Agency (AMCA), has filed for Chapter 11 bankruptcy on AMCA’s behalf following the data breach discovered in March. AMCA’s breach exposed up to 20 million Quest Diagnostics, LabCorp, and BioReference patient’s personal, financial, and health data according to Bloomberg.

In a court declaration Russell H. Fuchs, Chief Executive Officer of Retrieval-Masters Creditors Bureau, stated the bankruptcy petition was the ultimate result of a “cascade of events” and “enormous expenses that were beyond the ability of the Debtor to bear”. The filing states that AMCA has spent in excess of $3.8 million to notify affected customers. Furthermore, AMCA had to spend $400,000 to hire IT staff and consultants and has since lost most of its largest clients.

AMCA and Quest Diagnostics are also facing a class action law suit in the United States District Court in the District of New Jersey seeking greater than $5 million in damages resulting from the data breach.

The age of cloud computing is here and organizations must adopt cloud security posture management tools to combat the new vulnerabilities. In a filing with the Securities and Exchange Commission (SEC), Quest Diagnostics Inc (NYSE: DGX) disclosed that the personal information of 11.9 million customers has potentially been breached. The cause of the breach has been attributed to an unauthorized user gaining access to an American Medical Collection Agency (AMCA) system. AMCA is a third-party billing vendor hired by Optum 360, another quest contractor.

Quest Diagnostics, one of the largest blood testing providers in the U.S. stated: “The information on AMCA’s affected system included financial information ( e.g ., credit card numbers and bank account information), medical information and other personal information ( e.g ., Social Security Numbers).”

Quest Diagnostics is not the only firm to struggle with third-party risk management. According to a Ponemon study, 61% of U.S. respondents said they have experienced a data breach caused by one of their vendors and third parties. Continued adoption of public cloud infrastructure has created new challenges and risks for security teams. Organizations must now not only be cognizant of their own security and compliance posture but also that of their vendors and contractors.

The days of yearly security and compliance audits are over. Aside from the headache resulting from legacy manual auditing processes, one-time audits only provide a snapshot of an organizations’ risk posture at any given point in time. Furthermore, the speed of modern development cycles often causes an organization’s risk posture to change drastically in as little as 24-hours later. Enterprises want continuous and on-demand assurance that third parties are properly handling their customer's sensitive data. Although an enterprise may not be directly liable for third-party data breaches, they will certainly experience negative repercussions- such as reputation damage and customer churn, which are often more costly.

In order to prevent data breaches akin to that of Quest Diagnostics and to minimize potential liabilities, security teams must ensure potential business partners and contractors enforce security best practices prior to sharing data. Once data sharing has begun, security teams must then continuously assess third-party cloud security and compliance postures. The criticality of these practices will only continue to increase as data sharing networks grow and become more complex.

SECBERUS simplifies this process, allowing organizations to employ a multi-tenancy approach to security and compliance. SECBERUS consolidates organizations’ and third-party multi-cloud public infrastructure data within a single dashboard to provide users with a holistic view of all relevant cloud accounts, assets, and workloads.

For news and media inquiries, please reach out to

Founded in Miami in 2018, SECBERUS is a real-time cloud security posture management (CSPM) & compliance reporting platform that enables DevSecOps engineers to audit and enforce their security configuration across multiple public cloud platforms. Companies can deploy the SECBERUS solution in minutes and obtain end-to-end asset visibility, misconfiguration discovery, compliance posture, and the ability to enforce security policies in real-time.

SECBERUS delivers security & compliance confidence in the cloud to modern enterprises.

Subscribe for Updates
linkedintwitter logo

Cloud Security & Compliance
for the Modern Enterprise

Copyright © SECBERUS, Inc. 2018-19 ALL RIGHTS RESERVED -