7.7 Million LabCorp Patients Added to AMCA Breach TallyEarlier, Quest Diagnostics Reported Nearly 12 Million Affected by Same Incident
An update to this story is now available.
How big will the American Medical Collection Agency data breach get?
A second major lab testing firm, LabCorp, has revealed that it, too, is a victim of the "unauthorized access" incident at AMCA, with 7.7 million patients that the lab test firm serves potentially having their data - including, for some, credit card information - exposed.
The news comes after Quest Diagnostics reported on Monday that nearly 12 million of the patients it serves were affected by the breach.
"We are in the early days of learning the full size and scope of this cybersecurity incident," says privacy attorney David Holtzman of security consultancy CynergisTek.
AMCA is one of the larger collection agencies serving clinical laboratories, hospitals and physician groups, he notes. "Applying the patchwork of state and federal requirements for reporting breaches to the nationwide reach of AMCA's disclosure of personally identifiable information could mean weeks will pass before all the affected healthcare organizations have completed the notifications to individuals, the media and regulators," Holtzman adds.
In the meantime, New Jersey's two U.S. senators on Wednesday sent a letter to Secaucus, New Jersey-based Quest Diagnostics demanding answers about the AMCA breach.
In the letter, the two Democratic senators, Bob Menendez and Cory Booker, write: "The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. ... We need to understand exactly how this breach happened and how it impacts patients."
The senators request a detailed timeline of the breach and a description of Quest Diagnostics' efforts to limit impact on patients, the company's processes for the security of vendors handling patient information and the resources that the lab testing firm dedicates to information and data security.
A spokesman for Menendez tells ISMG that the senators are considering sending letters to AMCA and LabCorp as well as a result of the latest news.
LabCorp's SEC Filing
In an 8-K filing with the Securities and Exchange Commission on Tuesday, Burlington, North Carolina-based LabCorp said it has been notified by Elmsford, New York-based Retrieval-Masters Creditors Bureau - which does business as AMCA - about "unauthorized activity" on AMCA's web payment page. "According to AMCA, this activity occurred between August 1, 2018, and March 30, 2019," the filing notes.
AMCA's affected system included information provided by LabCorp, including clients' names, dates of birth, addresses, phone numbers, dates of service, healthcare providers and account balance information, LabCorp says.
"AMCA's affected system also included credit card or bank account information that was provided by the consumer to AMCA, for those who sought to pay their balance," LabCorp notes.
No lab test information, Social Security numbers or insurance identification information of its clients was exposed, LabCorp says. But, it adds, "AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed."
AMCA will offer those clients whose financial information was exposed 24 months of prepaid identity protection and credit monitoring service, LabCorp's SEC filing notes.
"LabCorp is working closely with AMCA to obtain more information and to take additional steps as may be appropriate once more is known about the AMCA Incident," the lab company reports. "In response to initial notification of the AMCA incident, LabCorp ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers."
A LabCorp spokesman declined further comment about the breach.
Impact on Quest Diagnostics
LabCorp's SEC filing came one day after Quest Diagnostics filed an 8-K with the SEC and issued a statement revealing that information about 11.9 million of the patients it serves was potentially compromised in the AMCA data breach.
In its SEC filing about the incident, Quest Diagnostics notes that it "has insurance coverage in place for certain potential liabilities and costs relating to the incident; this insurance is limited in amount and subject to a deductible."
In a statement provided to ISMG, AMCA said it is investigating the incident.
"Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page," the statement says.
"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," the company says. "We have also advised law enforcement of this incident."
AMCA's parent company, Retrieval-Masters Creditors Bureau, says on its website that it also provides collections programs for businesses in other sectors, including direct marketing, banks/credit cards, telecom, transportation, debt portfolio management and services.
Reacting to AMCA's revelation that a "security compliance firm that works with credit card companies" notified it of "a possible security compromise," some security experts note that this type of third-party discovery of credit card data exposure is common.
"Credit card processors regularly find evidence of breaches at customer sites because of fraud-related payment processing patterns," says John Nye, director of cybersecurity services at CynergisTek.
Through monitoring of network activity, credit card processors will often see volumes and/or patterns of data that include tags or metadata that potentially identify the source of a possible breach, Nye says. "Or [they'll discover] a trove of payment-related data for sale on the dark web that originated from the payment data of the credit card accounts originating through the organizations they serviced, tracing the stolen data back to its source."
Potential Scope of Breach
Although AMCA has not yet disclosed how many individuals might have had their data compromised in the breach, it's "highly likely" that other companies who contract with AMCA for medical collection services have been affected, says Kelly White, founder and CEO of security vendor RiskRecon.
"The fact that both Quest and LabCorp have announced their breach indicates that AMCA stored customer data in a common database, such that compromise of a single system impacts many customers," White tells ISMG. "Sometimes, when an important vendor is compromised, a whole industry is at risk. This seems to be one of those cases."
White says the incident is yet another reminder to other healthcare sector entities of the potentially serious security risks posed by vendors.
"Wise companies will respond by strengthening their oversight of third parties to ensure that each vendor meets their cybersecurity risk standard," he says. "That strengthening will include not only attestation to good security practices, but also implementation of objective verification of their risk management program, such as evidence provided through cybersecurity risk ratings."
Rich Curtiss, principal of healthcare risk assurance services at security consultancy Coalfire, offers a similar assessment.
"The most glaring lesson from this breach is the growing importance of having a robust third-party risk management program, something that has been traditionally neglected while becoming increasingly imperative as healthcare organizations lean more heavily on third parties to lift their on premises management burdens," he says.
Previous Security Incidents
Quest Diagnostics and LabCorp, both have previously reported security incidents.
In December 2016, Quest Diagnostics reported a hacking/IT incident involving a network server and affecting more than 34,000 individuals, according to an entry on the Department of Health and Human Services' HIPAA Breach Reporting Tool website. There are no other Quest Diagnostic breaches listed on the tally, which tracks breaches affecting 500 or more individuals.
The tally also lists one breach that affected LabCorp. The 2010 theft incident involving paper and film records reported by a LabCorp Patient Service Center in Nevada affected 507 individuals.