Quest, LabCorp data breach highlights cyber risk from vendors: Moody's

Quest Diagnostics and LabCorp—two of the largest clinical labs in the U.S.—are still trying to respond to the fallout from a breach that impacted the data of 20 million patients.

Among the potential consequences? Their credit rating.  

While there is no immediate financial impact for Quest and LabCorp, the breach is credit negative for the companies because it exposes them to reputational risk and shines a spotlight on how they select and assess their vendors, according to a report from Moody's Investors Service.

Quest Diagnostics disclosed June 3 that 11.9 million customers may have had their medical and financial information exposed due to a breach at American Medical Collection Agency (AMCA), a billing collections vendor. LabCorp revealed June 4 that 7.7 million patients' accounts at AMCA were stored in the vulnerable computer system and may also have been exposed.

Opko Health, the third company impacted by the security breach, said 422,600 patients' data may have been exposed, bringing the total number of patients affected to more than 20 million.

The beach was reportedly the result of malicious activity on AMCA's web payment page.

The breach has attracted scrutiny from the media and from legislators. Three U.S. senators sent letters (PDF) to Quest and LabCorp seeking details about the breach and the steps the companies are taking to remedy it.

RELATED: Third medical testing company impacted by AMCA breach as Congress seeks answers

State lawmakers also want answers about the breach as Connecticut Attorney General William Tong and Illinois Attorney General Kwame Raoul announced Friday that they are launching an investigation into the AMCA data breach.

"Sensitive personal information of millions of patients may have been compromised, and I am deeply concerned about the adequacy of the plans in place to notify and protect all affected individuals. It is important to determine the cause of this serious data breach and what steps these companies are taking to ensure this does not happen again," Tong said in a statement.

The increased scrutiny could ultimately result in new regulations and requirements for how U.S. companies select their vendors, according to the Moody's report.

"Longer term, the financial and credit ramifications for Quest and LabCorp remain uncertain, although several factors reduce the risk," said the report's lead analyst Jean-Yves Coupin, vice president and senior analyst at Moody's Investors Service.

Quest has confirmed that the company carries cybersecurity insurance. But collecting on such policies can be a protracted process depending on the complexity of the claim, the wording in the policy and its coverage triggers, Coupin said in the report.

"We generally view data disclosure events as unlikely to have as large of a negative impact on a company as cyber attacks that disrupt key business activities. But large data breach disclosures have had damaging effects on individual companies," Coupin said.

Although it's too early to assess the impact of any reputational damage to Quest and LabCorp, Coupin said the risk of client losses is limited due to the companies' strong competitive positions and consumers' limited options when visiting clinical labs.

RELATED: Quest Diagnostics breach may have exposed data of 11.9M patients

Beyond Quest and LabCorp, the clinical lab industry is highly fragmented, consisting mostly of smaller regional and local commercial clinical labs, specialized esoteric labs, and labs owned by physicians and hospitals, according to the report.

The breach underscores the cyber risks for U.S. corporations that can accompany vendor relationships, Coupin said, citing one of the most high-profile examples of a third-party data breach: the Target cyberattack. That breach exposed 40 million credit and debit card records and 70 million personal information records when a malicious actor accessed Target's point-of-sale system using network credentials stolen from the retailer’s HVAC contractor.

"After Target experienced a data breach in 2013, its profits fell, its CEO resigned and its expenses related to the breach totaled more than $178 million. Unlike Target, AMCA did not have access to LabCorp and Quest's own systems, which helps mitigate the risk," Coupin said in the report.