Yet another insider breach – this one at New Jersey-based Quest Diagnostics.
On August 17, Quest notified the New Hampshire Attorney General’s Office that in late July, it became aware that an employee had forwarded certain e-mails to their home personal account. Included in the e-mails were patients’ names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, and insurance information.
Quest did not report the total number of patients affected, but informed them that Quest has no reason to believe the breach will lead to fraudulent credit card applications or identity theft. Really? Why not? If there was some reason for the employee to do this that was not malicious, they certainly didn’t explain it. So why shouldn’t patients fear that the motive was fraud?
And for how long was this going on? Quest became aware of the breach in July, but only told the patients that “In 2012” the breach occurred.
I really wish Congress and HHS would agree with what I think needs to be included in a breach notification letter so that consumers can evaluate their risks more accurately.