LabCorp has announced that the AMCA data breach has affected 7.7 million of their patients.
Quest Diagnostics, one of the U.S.’s largest blood testing facilities, recently revealed that 11.9 million of their patients had their data compromised due to a data breach at a business associate who dealt with the American Medical Collection Agency (AMCA), a billing collections company based in New York.
On June 4, 2019, LabCorp, another national network of blood testing centers, announced that 7.7 million individuals whose blood samples were processed by the company might have been affected by the same breach.
LabCorp revealed that they were affected by the incident after filing a report with the U.S. Securities and Exchange Commission (SEC). LabCorp said AMCA had notified that its data had also been exposed as a result of the cyber attack on AMCA’s web payment portal. The hacker could access confidential information from September 2018 to March 2019.
On their website, AMCA claims that the company manages more than $1 billion in annual receivables for a diverse client base, which includes “laboratories, hospitals, physician groups, billing services, and medical providers all across the country.”
After Quest Diagnostics revealed that they had been affected by a cybersecurity incident at AMCA, it was widely predicted that patients of other companies had also been affected. So far, nearly 20 million people have been affected, and AMCA has identified only two organisations. It is highly probable that further AMCA will notify further organisations in the coming weeks that their data has been compromised.
Already, this breach is the second largest in U.S. history, beaten only by the 2015 Anthem breach which saw over 70 million files compromised.
The types of information the hacker accessed included names, addresses, phone numbers, dates of birth, dates of service, provider information, balance information, and some banking and credit card information. LabCorp notes that no diagnostic information, medical test results, Social Security numbers, or insurance information were provided to AMCA. As was the case with Quest Diagnostics, LabCorp has stopped using AMCA for billing collections.
Around 200,000 individuals whose financial information was exposed are being notified by AMCA and have been offered 2 years of credit monitoring and identity theft protection services. AMCA has not provided LabCorp information about which individuals have been affected, so no breach notification letters have been sent.
The breach was first identified by researchers at Gemini Advisory, a cybersecurity company, in May 2019. Gemini notified AMCA when they discovered 200,000 patients’ credit card details for sale on the dark web. However, AMCA did not respond to Gemini’s warning, so Gemini instead reported their findings to databreaches.net. The researchers determined that a hacker had stolen the credit card details between September 2018 and March 2019.
Gemini also reported the breach to relevant law enforcement authorities.