Quest Diagnostics
One of America's largest lab testing companies exposed patient results—from routine bloodwork to cancer screenings to genetic tests.
What happened?
Quest Diagnostics, one of the two largest clinical laboratory companies in the United States, disclosed a data breach affecting patient records. Quest processes over 500 million lab tests annually—from routine bloodwork to cancer screenings to genetic testing—making them custodians of some of the most sensitive health data in existence.
What data was actually inside?
Lab test results tell stories that patients may not want told: HIV status, STD screenings, drug tests, genetic markers, cancer indicators. Combined with Social Security numbers and insurance details, this is the most intimate health data people produce—generated by their own blood, urine, and tissue.
Diagnostic data is often more revealing than medical records—it's the objective evidence of conditions that may not appear elsewhere.
Who gets hurt and how?
Anyone who had blood drawn or samples tested at Quest. Patients getting routine physicals. People screening for diseases. Employees undergoing drug testing. Insurance applicants providing medical evidence. The data reveals health status in ways people may not have disclosed even to family members.
Lab results can affect employment, insurance, and relationships. Exposure has consequences beyond financial fraud.
What did they think they were doing right?
Quest Diagnostics is a Fortune 500 company operating under HIPAA, CLIA, and other healthcare regulations. They have significant compliance infrastructure and serve virtually every healthcare system in the country. They process sensitive data at massive scale and should have corresponding security.
Being essential to healthcare doesn't make you secure. It makes you a valuable target.
What did they not know about their own data?
Quest didn't know how accessible their patient data was across their laboratory information systems. Lab data flows through complex paths—from specimen collection to processing to physician portals to patient access. Each integration point is a potential vulnerability.
Historical test results accumulate over decades. Quest holds lab data from years of testing that patients may have forgotten about—but attackers now have access to.
What does attribution look like the morning after?
Notifications to patients across the country. Coordination with referring physicians and health systems. HHS OCR investigation. State attorneys general inquiries in multiple jurisdictions. Media coverage of sensitive health data exposure.
For laboratory companies, breaches are particularly damaging—patients submit specimens trusting that results remain confidential. That trust is foundational to diagnostic testing.
What would have changed the outcome?
Knowing where sensitive test results live across all laboratory systems.
If Quest had mapped their data—HIV results, genetic tests, drug screenings—across their entire infrastructure, they could have prioritized protection for the most sensitive results. Lab data varies in sensitivity; some results are life-altering if exposed. That variation requires varied protection.
Don't Learn What You Have From an Attacker
Quest didn't know what patient data was exposed until it was too late. Risk Finder shows you first.
Start Your Risk Assessment