The Weakest Links – Vendors in the Spotlight, Again

Last week brought news of two more companies reporting the potential compromise of financial and medical information of millions of Americans. The headlines sound familiar, as does the attack vector – compromise of a third-party vendor with access to patient information.

On June 3, Quest Diagnostics Incorporated reported that a breach at one of its vendors, American Medical Collection Agency (AMCA), may have compromised the personal information of approximately 11.9 million of its patients. The compromised information includes credit card numbers, bank account information, Social Security numbers, and unspecified medical information, among other things. Quest stated that it has not yet obtained detailed or complete information from AMCA and has not received a list of the affected individuals, but that according to AMCA, an unauthorized person had access to AMCA’s system for up to seven months.

On June 4, Laboratory Corporation of America Holdings reported that approximately 7.7 million of its patients were affected by the AMCA breach. For LabCorp patients, the compromised information includes credit card numbers and bank account information, but not Social Security numbers or lab test results. LabCorp is also awaiting more detailed information from AMCA but unlike Quest, LabCorp reported that AMCA is notifying some LabCorp patients directly.

News reports have already identified a third victim of this incident, and there could be more to come. According to its website, AMCA is “the leading recovery agency for patient collections,” and its clients include “Laboratories, Hospitals, Physician groups, Billing services and Medical providers all across the country.” AMCA also operates under the “Retrieval Masters” brand and services “Direct Marketers, Telecom, Toll Agencies, and Debt Buyers,” further expanding the scope of potential victims. Quest and LabCorp are both public companies that reported the breach in filings with the Securities and Exchange Commission, but many of AMCA’s other clients are not subject to SEC reporting requirements.

Quest and LabCorp now face the familiar dilemma of responding to a cyber event resulting not from a breach of their own systems, but from a breach at a third-party vendor. Vendor breaches raise different issues than other breaches, including the following:

  • Understanding what occurred, what information was compromised, and who must be notified: A company that obtains personal data from its customers is generally the party subject to notification and other obligations under applicable state and federal laws, even when the breach occurs in a vendor’s system. However, the ability of that company to obtain the information needed to provide notifications is often limited by the vendor’s ability and willingness to share information about the incident. For example, it was Quest, not AMCA, that received two separate letters from U.S. senators requiring the company to respond within 10-14 days to detailed questions regarding its cybersecurity policies and procedures and this breach in particular.
  • Compliance with privacy policies: Companies should ensure that they are complying with their privacy policies when they share information with vendors. For example, LabCorp’s privacy policy (as published on its website) states that it may share information with contractors, but Quest’s published policy promises that no information will be shared with vendors unless the patient has authorized Quest to do so. Presumably, Quest obtained patient consent in some other way, such as a consent formed signed when the patient visited the Quest facility.
  • Insurance coverage: Many cyber insurance policies cover notification costs and other losses only if the breach occurred in the insured’s systems. For losses arising from a vendor’s breach, a company often must rely on contractual indemnification rights, if any. Companies typically require their vendors to have certain levels of insurance coverage, but in many cases a vendor’s insurance policy will not cover the vendor’s contractual indemnification obligations to its customers. Indeed, contractually assumed indemnity is typically subject to a specific coverage exclusion.

Thompson & Knight’s Cybersecurity Practice Group routinely advises clients regarding vendor relationships. Some general suggestions include the following:

  • Legal review: Ask knowledgeable legal counsel to review contracts with vendors to identify cyber issues and conformity with market terms. Vendor contracts often include provisions regarding data protection requirements, reporting requirements in the event of a breach, insurance coverage, and other matters.
  • Data segregation: Limit the data shared with a vendor to just the information required for the vendor to fulfill its contract. For example, a medical collection agency might need information relating to the status of a patient’s account, but might not need the patient’s medical information.
  • Data access: In cases where the vendor has access to computer systems, ensure that the access is restricted to the data the vendor needs to fulfill its contract, and that the vendor does not have rights to move throughout a client’s network.
  • Monitoring of vendor activity: Where possible, employ tools to monitor vendor activity on your network. Earlier this year, criminals used phishing attacks to gain access to the computer networks of major IT outsourcing firms such as Wipro, and used that access to attack the networks of the IT firms’ customers. In many cases, the customers identified the rogue activity before significant damage could be done.

Comprehensive cybersecurity includes not only the integrity of your system, but also the integrity of any other system which may have access to your system or on which your data may be stored. Heightened diligence should be exercised whenever vendor relationships are established or evaluated.