- The cybersecurity data breach that hit Quest Diagnostics and LabCorp last week, which originated with billing collection vendor American Medical Collection Agency, is credit negative for both companies, Moody's Investor Service said Monday.
- Though there is no immediate financial impact from the breach exposing data of nearly 20 million patients, the breach could lead to intraorganizational or policy changes in how healthcare companies select their billing collection vendors.
- But it is still too early to tell the long-term credit and financial implications, according to the credit rating agency. Moody's predicts the breach could result in "new regulations and requirements" for how U.S. companies select and assess their vendors. State and federal lawmakers have already begun to dig into the issue.
Though data breaches are generally less harmful to companies than attacks that disrupt or halt the functioning of daily business, big and highly publicized breaches have had damaging effects on companies in the past, Moody's said.
For example, after Target's 2013 data breach that exposed 40 million credit and debit card records and 70 million pieces of personal information, profits dove, its CEO resigned and cybersecurity-related expenses reached almost $180 million.
However, diagnostics is a different industry than retail. Quest and LabCorp together control roughly 37% of the market share for diagnostic and medical laboratories, according to the Open Markets Institute. Other players include smaller regional and commercial specialized labs and physician- or hospital-owned facilities. Quest and LabCorp are in a relatively stable position because the potential for client losses is limited, according to Moody's.
"While there is no immediate financial impact for Quest or LabCorp, the breach is credit negative for the companies because it exposes them to reputational risk and shines a spotlight on how they select and assess their vendors," Moody's wrote in the report.
AMCA provides billing collections services to Optum360 (a contractor with Quest), which is in turn owned by for-profit healthcare behemoth UnitedHealth Group.
Two U.S. senators, including presidential hopeful Cory Booker, D-N.J., sent a letter to New Jersey-based Quest on Wednesday inquiring into the cause of the seven-month-old breach and what the company was doing to fix it.
Connecticut Attorney General William Tong and Illinois Attorney General Kwame Raoul also opened up a joint investigation last week in an attempt to get at the root of how the breach, which was a result of malicious activity of AMCA's payment webpage, started — and why it was not caught by either company.
"I am deeply concerned about the adequacy of the plans in place to notify and protect all affected individuals," Tong said in a statement.
Following the incident, LabCorp and Quest both announced they would no longer send new collection requests to AMCA, and LabCorp has severed all pending collection requests with the company.
A third diagnostics company, OPKO Health, announced in a June 3 filing it had been affected by the same cybersecurity attack through a subsidiary's use of AMCA. The data of roughly 423,000 patients was affected, including personal and financial information. About 6,600 patients' credit card or bank account information may have been breached.
The subsidiary, BioReference, said it has severed ties with AMCA.
Quest's breach affected 11.9 million consumers and included Social Security numbers, financial data and medical information. Lab results, however, were not disclosed since they were not shared with AMCA.
The breach exposed 7.7 million patients' personal and financial data from LabCorp, including first and last name, birth date, address, phone, date of lab testing, provider and balance information. Social Security numbers, insurance identification information and laboratory results were not exposed. Malicious actors may have accessed financial information, including credit card or bank account info, from about 200,000 LabCorp patients. AMCA is in the process of sending notices to those affected and will offer identity protection and credit monitoring services for two years.