[BreachExchange] Health Quest data breach revealed Social Security numbers, payment card information

Destry Winant destry at riskbasedsecurity.com
Mon Jan 20 10:01:07 EST 2020


https://www.msn.com/en-us/news/us/health-quest-data-breach-revealed-social-security-numbers-payment-card-information/ar-BBZ47zi

A 2018 data breach involving Health Quest employees was found to have
impacted more customers and revealed more information than the
healthcare network originally believed.

Information such as Social Security numbers and payment card
information was potentially leaked, according to a press release from
Health Quest.

Health Quest, which became part of Nuvance Health in merger last
April, is sending another round of letters to inform patients of the
larger scope of the breach. Health Quest was not able to quantify how
many of its customers were impacted.

A July 2018 phishing incident resulted in multiple Health Quest
employees sharing their email account usernames and passwords.

A cybersecurity firm hired by Health Quest found these accounts had
email attachments containing patient information, including patient
names, date of birth, Social Security numbers, driver's license
numbers, financial account information, PINs and security codes,
payment card information, provider names, dates of treatment,
treatment and diagnosis information and health insurance claims
information.

Health Quest's $2.4B merger: How officials say Nuvance will benefit patients

The impacted email accounts were secured after learning of the attack,
Health Quest said.

Health Quest first sent letters to impacted patients last May, but the
network determined that additional notices needed to be sent. At the
time, the network said the breach revealed emailed attachments that
included patients' health, treatment and insurance claims information.

John Nelson, director of public and community affairs with Health
Quest, said the company is notifying both new individuals who may have
been impacted by the breach and patients they've previously contacted
regarding the scope of the breach.

"Because of the voluminous number of emails affected, we realized that
we needed to send additional notices," Nelson said, noting the
cybersecurity firm's investigation has concluded.

Health Quest started sending the letters this month, and those
affected are expected to receive them by Feb. 15.

Patients whose Social Security number or driver's license number were
potentially exposed in the breach can accept complimentary credit
monitoring and identity protection services from Health Quest, per the
release.

In response to the incident, Health Quest is enacting stricter
security measures, including multi-factor authentication, and
providing cybersecurity training for employees, the company said.

Anyone with questions can contact Health Quest's call center at
1-844-967-1236, Monday through Friday, between 9 a.m. and 6:30 p.m.


More information about the BreachExchange mailing list