AMCA Breach Affects Almost 7.7 Million Patients

After reports that the data breach at American Medical Collection Agency (AMCA) impacted the records of 11.9 million Quest Diagnostics patients, comes revelation that another healthcare company that has been impacted by the breach.

On June 4, 2019, LabCorp, a different nationwide group of blood testing centers, announced that 7.7 million people whose blood samples were processed by the company may have had their sensitive information obtained.

Similar to the case with Quest Diagnostics, LabCorp made the breach public via a U.S. Securities and Exchange Commission (SEC) filing. LabCorp said it had been alerted by AMCA that its data had also been exposed due to the cyberattack on AMCA’s web payment portal, which saw cybercriminals obtain access to the system between August 1, 2018 and March 30, 2019. LabCorp said AMCA held data on 7.7 million of its clients.

According to the AMCA website, the company manages more than $1 billion in annual receivables for a diverse client base, which includes “laboratories, hospitals, physician groups, billing services, and medical providers all across the country.”

It is therefore unsurprising that another healthcare organization has announced that it too has been impacted by the data breach at AMCA. It is likely that over the course of the next few days and weeks that there will be several other announcements by healthcare organizations that have also been impacted by the breach.

The amount of healthcare records known to have been impacted is now 19.6 million and only two healthcare firms have so far revealed that they have been hit by the breach.

The LabCorp data did not incorporate Social Security numbers, unlike Quest Diagnostics, but did include names, addresses, phone number details, birth dates, dates of employment, provider data, balance information, and some banking and credit card information. LabCorp notes that no diagnostic information, medical test outcomes, or insurance information were supplied to AMCA. As occurred with Quest Diagnostics, LabCorp has stopped using AMCA for billing collections.

Around 200,000 people whose financial information was exposed are being alerted by AMCA and have been provided with two years of credit monitoring and identity theft protection services with not charge. LabCorp has not yet been given full details on those who have been impacted by the breach, so notifications to other customers cannot yet be sent.

As was made public yesterday, Gemini Advisory found that almost around 200,000 credit cards listed for sale on a darknet marketplace and informed AMCA to the breach. Those credit card numbers were not from LabCorp customers as the data set had Social Security numbers among it, which were not supplied by LabCorp to AMCA.

Author: Maria Perez