Millions affected in consecutive medical data breaches

A third-party cyber forensics team has been called in to investigate the breaches that exposed nearly 20 million patient records

Data breach

Two separate data breaches at a payment collection firm have resulted in the exposure of sensitive information belonging to 20 million people.

The medical testing giant LabCorp said on 4 June that sensitive personal and financial information of 7.7 million of its customers had been exposed as a result of a security breach sustained by the American Medical Collection Agency (AMCA), according to a filing with the Security and Exchange Commission.

The AMCA is a third-party payment collection agency used by both LabCorp and blood testing company Quest Diagnostics which was also affected by a breach at the agency. The AMCA services credit card companies, healthcare institutions, personal finance lenders and creditors.

The breach is believed to have taken place between 1 August 2018 and 30 March 2019; affected customers could have their names, addresses, phone numbers, dates of birth and balance information exposed.

"AMCA's affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)," read the filing.

"LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers." 

Since the breach's discovery, LabCorp has said that it will notify all customers it believes have been affected and will offer them identity protection and credit monitoring services for 24 months.

A blood testing laboratory Quest Diagnostics informed its customers on Monday, just a day earlier than the coverage of LabCorp's breach, that an attacker's unauthorised access to the AMCA's payment systems resulted in 11.9 million of its customers' social security and credit card numbers were also put at risk.

Both Quest Diagnostics and Optum360, a Quest Diagnostics contractor that also uses AMCA's billing services, were informed of a possible data breach on 14 May, an event which was later confirmed on 31 May.

"Quest has not been able to verify the accuracy of the information received from AMCA," the company said in a statement. "Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."

The AMCA manages more than $1 billion in annual receivables over a broad client base. A firm representing the agency said in a statement given to NBC that "upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page".

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," it added.

"We have also advised law enforcement of this incident."

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021