Home Cyber Attack Quest Diagnostics and LabCorp Fall Victims To American Medical Collection Agency Breach

Quest Diagnostics and LabCorp Fall Victims To American Medical Collection Agency Breach

by Abeerah Hashim

Remember the last year’s Typeform data breach that affected a huge number of customers? It seems another similar wave of breach reports is coming. Allegedly, an American Medical Collection Agency breach reported in the previous month has affected numerous AMCA customers. This week, two different medical facilities, Quest Diagnostics, and LabCorp have disclosed data breaches as an aftermath of the AMCA incident. Both the facilities confirm the number of affected patients to be in a few million.

12 Million Patients Affected In Quest Diagnostics Data Breach

According to the security notice published on their website, Quest Diagnostics has suffered a major security breach. The incident has affected roughly 12 million Quest patients.

Stating the details about the Quest Diagnostic data breach, the notice mentioned that AMCA first notified Quest and Optum360 – a Quest contractor – on May 14, 2019. However, they conveyed more details to Quest on May 31, 2019, that also mentioned the breach.

AMCA first notified Quest and Optum360 on May 14, 2019, of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients.

As per the notice, the breached details include patients’ personal information and Social Security numbers, some financial information, and medical data. However, it did not include any lab test results.

For now, Quest has stopped collaborating with AMCA regarding collection requests. They are working towards notifying the affected patients.

LabCorp Data Breach Impacted 7.7 Million Patients

Following Quest Diagnostics, LabCorp disclosed a security breach. The LabCorp data breach allegedly impacted 7.7 million patients.

Their report surfaced online from a filing with the U.S. Securities and Exchange Commission. As stated in it, the AMCA security incident resulted in a breach of patients’ data that LabCorp provided to AMCA. This information included personal details and some financial information of the patients.

That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA.

Nonetheless, in case of LabCorp, AMCA assured that the Social Security numbers and insurance IDs remained unaffected since AMCA did not store this data for LabCorp.

The filing also stated a much lesser number of affected patients mentioned by AMCA, whom AMCA will notify accordingly.

AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.

Like Quest Diagnostics, LabCorp also halted sending collection requests to AMCA in response to the initial breach notification.

First Report Of American Medical Collection Agency Breach

In May 2019, DataBreaches.net first reported about the American Medical Collection Agency (AMCA) data breach. Quoting the findings of Gemini Advisory analysts, the report revealed that the AMCA incident exposed huge numbers of patient records to the attackers, which the analysts later found for sale on the dark web.

As observed, the offering boasted about the data that also included Social Security Numbers and date of birth. Further investigation revealed to them that the data linked to the AMCA’s online portal, which the hackers might have breached. As mentioned in the statement provided to the site,

On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses.

Regarding the duration, they noticed that the exposure mayhave begun in September 2018, and supposedly continued till March 2019. They could confirm at least 200,000 victims of the incident. They could also see some prominent banks among the affectees.

Gemini analysts identified several top affected banks that primarily focus on Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs), Flexible Spending Accounts (FSAs), and Medicare Medical Savings Accounts (MSAs). These various medical accounts are used to pay health insurance deductibles, dental and vision care, and any other qualifying medical expenses.

Following this discovery, both the researchers and DataBreaches.net attempted to contact AMCA. However neither were successful.

It now seems that AMCA has begun notifying its customers affected by the security incident. The recent disclosures by Quest Diagnostics and LabCorp hint towards the huge extent of the security breach. Perhaps, we should be ready to see more of such reports from other AMCA customers in the coming days.

You may also like