Millions affected in consecutive medical data breaches

Two separate data breaches at a payment collection firm have resulted in the exposure of sensitive information belonging to 20 million people.

The medical testing giant LabCorp said on 4 June that sensitive personal and financial information of 7.7 million of its customers had been exposed as a result of a security breach sustained by the American Medical Collection Agency (AMCA), according to a filing with the Security and Exchange Commission.

The AMCA is a third-party payment collection agency used by both LabCorp and blood testing company Quest Diagnostics which was also affected by a breach at the agency. The AMCA services credit card companies, healthcare institutions, personal finance lenders and creditors.

The breach is believed to have taken place between 1 August 2018 and 30 March 2019; affected customers could have their names, addresses, phone numbers, dates of birth and balance information exposed.

"AMCA's affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)," read the filing.

"LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers." 

Since the breach's discovery, LabCorp has said that it will notify all customers it believes have been affected and will offer them identity protection and credit monitoring services for 24 months.

A blood testing laboratory Quest Diagnostics informed its customers on Monday, just a day earlier than the coverage of LabCorp's breach, that an attacker's unauthorised access to the AMCA's payment systems resulted in 11.9 million of its customers' social security and credit card numbers were also put at risk.

Both Quest Diagnostics and Optum360, a Quest Diagnostics contractor that also uses AMCA's billing services, were informed of a possible data breach on 14 May, an event which was later confirmed on 31 May.

"Quest has not been able to verify the accuracy of the information received from AMCA," the company said in a statement. "Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."

The AMCA manages more than $1 billion in annual receivables over a broad client base. A firm representing the agency said in a statement given to NBC that "upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page".

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," it added.

"We have also advised law enforcement of this incident."