Personal data of nearly 20m patients compromised in AMCA data breach
5 June 2019
In among the largest and most successful cyber attacks targeting the healthcare sector ever, hackers stole personal and financial information of nearly 20 million patients from the payment pages of the AMCA (American Medical Collection Agency), a firm that processes payments on behalf of medical testing companies such as Quest Diagnostics and LabCorp.
On Monday, a report released by the U.S. Securities and Exchange Commission stated that unknown hackers accessed the web payment page of the American Medical Collection Agency between August 1, 2018 and March 30, 2019 (eight months in total) and stole personal, medical and financial information belonging to approximately 11.9 million patients who were customers of laboratory-testing giant Quest Diagnostics.
Highly sensitive information of patients that were stolen by hackers from the payment page included social security numbers, credit card numbers and bank account information. However, since laboratory test results were not provided by Quest Diagnostics to AMCA, hackers were not able to access such information.
“AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA,” said Quest Diagnostics in a statement published on its website.
LabCorp says AMCA breach impacted its 7.7 million customers
A day after news of the massive data breach arrived, LabCorp, yet another major medical testing company operating in the United States, announced that the cyber attack, that AMCA suffered between August 1, 2018 and March 30, 2019, compromised personal, medical, and financial information of approximately 7.7 million of its customers.
Information of millions of LabCorp customers compromised by the incident included first and last names, dates of birth, addresses, phone numbers, dates of service, providers, balance information, as well as credit card and bank account information.
“LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.
“AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed,” said LabCorp in a filing with the Securities and Exchange Commission.
In total, the cyber attack that lasted eight full months impacted the personal and financial information of nearly 20 million patients who obtained medical testing services from Quest Diagnostics and LabCorp. Since the AMCA website is silent about the incident, we are not aware if customers of other clients were impacted by the incident or not.
Addressing the press, a apokesperson from AMCA said that as soon as the debt collections firm was informed about a security breach by a security compliance firm that works with credit card companies, it took down the affected web payments page, conducted an internal review, hired a third-party external forensics firm to investigate any potential security breach, and informed law enforcement about the incident.