Millions affected in consecutive medical data breaches

A third-party cyber forensics team has been called in to investigate the breaches that exposed nearly 20 million patient records

Data breach

Two separate data breaches at a payment collection firm have resulted in the exposure of sensitive information belonging to 20 million people.

The medical testing giant LabCorp said on 4 June that sensitive personal and financial information of 7.7 million of its customers had been exposed as a result of a security breach sustained by the American Medical Collection Agency (AMCA), according to a filing with the Security and Exchange Commission.

The AMCA is a third-party payment collection agency used by both LabCorp and blood testing company Quest Diagnostics which was also affected by a breach at the agency. The AMCA services credit card companies, healthcare institutions, personal finance lenders and creditors.

The breach is believed to have taken place between 1 August 2018 and 30 March 2019; affected customers could have their names, addresses, phone numbers, dates of birth and balance information exposed.

"AMCA's affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)," read the filing.

"LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers." 

Since the breach's discovery, LabCorp has said that it will notify all customers it believes have been affected and will offer them identity protection and credit monitoring services for 24 months.

A blood testing laboratory Quest Diagnostics informed its customers on Monday, just a day earlier than the coverage of LabCorp's breach, that an attacker's unauthorised access to the AMCA's payment systems resulted in 11.9 million of its customers' social security and credit card numbers were also put at risk.

Both Quest Diagnostics and Optum360, a Quest Diagnostics contractor that also uses AMCA's billing services, were informed of a possible data breach on 14 May, an event which was later confirmed on 31 May.

"Quest has not been able to verify the accuracy of the information received from AMCA," the company said in a statement. "Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."

The AMCA manages more than $1 billion in annual receivables over a broad client base. A firm representing the agency said in a statement given to NBC that "upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page".

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," it added.

"We have also advised law enforcement of this incident."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go
Cloud

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020