In June, we learned of two more companies reporting the potential compromise of financial and medical information of millions of Americans. The headlines sound familiar as does the attack vector – compromise of a third-party vendor with access to patient information.
On June 3, Quest Diagnostics Incorporated reported that a breach at one of its vendors, American Medical Collection Agency, may have compromised the personal information of approximately 11.9 million of its patients. The compromised information includes credit card numbers, bank account information, social security numbers and unspecified medical information, among other things.
Quest stated that it has not yet obtained detailed or complete information from AMCA and has not received a list of the affected individuals, but that, according to AMCA, an unauthorized person had access to AMCA’s system for up to seven months.
On June 4, Laboratory Corporation of America Holdings reported that approximately 7.7 million of its patients were affected by the AMCA breach. For LabCorp patients, the compromised information includes credit card numbers and bank account information but not social security numbers or lab test results. LabCorp is also awaiting more detailed information from AMCA. But unlike Quest, LabCorp reported that AMCA is notifying some LabCorp patients directly.
News reports have already identified a third customer of AMCA affected by this incident, and there could be more to come. Meanwhile, AMCA has filed for bankruptcy and stated its intention to liquidate the company. AMCA cited the loss of its four largest clients (including Quest and LabCorp) and the cost of notifying millions of affected persons as factors contributing to the bankruptcy filing.
Quest and LabCorp now face the familiar dilemma of responding to a cyber event resulting not from a breach of their own systems but from a breach at a third-party vendor. Vendor breaches raise different issues than other breaches, including the following:
- Understanding what occurred, what information was compromised, and who must be notified: A company that obtains personal data from its customers is generally the party subject to notification and other obligations under applicable state and federal laws, even when the breach occurs in a vendor’s system. However, the ability of that company to obtain the information needed to provide notifications is often limited by the vendor’s ability and willingness to share information about the incident. For example, it was Quest, not AMCA, that received two separate letters from US senators requiring the company to respond within 10-14 days to detailed questions regarding its cybersecurity policies and procedures and this breach in particular. Quest is also the subject of at least one lawsuit in California and a regulatory investigation in Michigan.
- Compliance with privacy policies: Companies should ensure that they are complying with their privacy policies when they share information with vendors. For example, LabCorp’s privacy policy (as published on its website) states that it may share information with contractors, but Quest’s published policy promises that no information will be shared with vendors unless the patient has authorized Quest to do so. Presumably, Quest obtained patient consent in some other way, such as a consent formed signed when the patient visited the Quest facility.
- Insurance coverage: Many cyber insurance policies cover notification costs and other losses only if the breach occurred in the insured’s systems. For losses arising from a vendor’s breach, a company often must rely on contractual indemnification rights, if any. Companies typically require their vendors to have certain levels of insurance coverage, but in many cases a vendor’s insurance policy will not cover the vendor’s contractual indemnification obligations to its customers. Indeed, contractually assumed indemnity is typically subject to a specific coverage exclusion.
Cybersecurity lawyers routinely advise clients regarding vendor relationships. Some general suggestions include the following:
- Legal review: Review contracts with vendors to identify cyber issues and conformity with market terms. Vendor contracts often include provisions regarding data protection requirements, reporting requirements in the event of a breach, insurance coverage and other matters.
- Data segregation: Limit the data shared with a vendor to only the information required for the vendor to fulfill its contract. For example, a medical collection agency might need information relating to the status of a patient’s account but might not need the patient’s medical information.
- Data access: In cases where the vendor has access to computer systems, ensure that the access is restricted to the data the vendor needs to fulfill its contract and that the vendor does not have rights to move throughout a client’s network.
- Monitoring of vendor activity: Where possible, employ tools to monitor vendor activity on your network. Earlier this year, criminals used phishing attacks to gain access to computer networks of major IT outsourcing firms such as Wipro and used that access to attack the networks of the IT firms’ customers. In many cases, the customers identified the rogue activity before significant damage could be done.
Comprehensive cybersecurity includes not only the integrity of your system, but also the integrity of any other system which may have access to your system or on which your data may be stored. Heightened diligence should be exercised whenever vendor relationships are established or evaluated.
Mike Titens is a partner in the Dallas office of Thompson & Knight. He represents U.S. and international clients in structuring, negotiating and implementing mergers, acquisitions and joint ventures.