A serious data breach at Quest Diagnostics that led to hackers accessing 34,000 people's health records was the faut of an unsecured mobile app, the company said in a statement. The company's MyQuest app, which is available for Apple and Android devices as well as the web, was the source of the breach.
"On November 26, 2016 an unauthorized third party accessed the MyQuest by Care360 internet application and obtained Protected Health Information (PHI) of approximately 34,000 individuals," the company said in a statement. "The accessed data included name, date of birth, lab results, and in some instances, telephone numbers. The information did not include Social Security numbers, credit card information, insurance or other financial information. There is no indication that individuals' information has been misused in any way."
Affected customers have been notified, the company said, and they are taking further steps to investigate the breach and prevent future breaches.
"When Quest Diagnostics discovered the intrusion, it immediately addressed the vulnerability," the company continued. "Quest is taking steps to prevent similar incidents from happening in the future, and is working with a leading cybersecurity firm to assist in investigating and further evaluating the company's systems. The investigation is ongoing and the unauthorized intrusion has been reported to law enforcement."
The New Jersey lab testing company has been offering MyQuest, originally known as Gazelle, since 2010. At the time it made news for choosing to go mobile-first, making lab results available in an app before they made them available online. The app allows patients to schedule lab appointments, receive lab results, and also incorporates data from wearable sensors and offers medication adherence features.
Data breaches like this one are becoming increasingly common in healthcare, but the fact that a mobile app was the source of this one demonstrates the privacy and security concerns that come with mobile health.