Over 20 million patients of three competing medical testing firms, Quest Diagnostics, LabCorp and BioReference Laboratories Inc, may have been affected by a breach after a billing collections service provider, American Medical Collections Agency (AMCA), reported that an unauthorised user had access to their systems.
AMCA are a New York based company with a long history of collecting debt for a wide range of businesses, including medical labs and hospitals, direct marketers, telecom companies, state and local traffic/toll agencies. With such a large portfolio of clients, an announcement of unauthorised activity on their web payment page has caused their partnering organisations, and a lot of US citizens, to be extremely concerned for the safety of their sensitive information.
Millions of U.S. Patients Affected
Concerns around the breach were initially raised on the 14th of May, when Quest Diagnostics announced that 11.9 million of their consumers may have had their details compromised. LabCorp then followed, stating that a further 7.7 million of their patient records were also affected in the same AMCA breach. Medical tests and medication firm OPKO Health Inc subsidiary BioReference Laboratories Inc have been the recent victim, stating that 422,600 of its patients were potentially impacted. This takes the total to over 20 million patient records with sensitive personally identifiable information (PII).
All companies stated that compromised information involved patient names, dates of birth, addresses, phone numbers and credit card or bank account information, although Quest Diagnostics also included social security numbers.
In a statement from the AMCA, they said:
“We are investigating a data incident involving an unauthorised user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”
“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”
Both Quest Diagnostics and LabCorp allege that the AMCA is yet to provide information around which of their customers were impacted, withholding information about the incident. Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. BioReference have requested AMCA to “cease continuing to work on any pending collection requests involving BioReference patients”.
It seems that the data breach experienced by the AMCA was the icing on the cake when it comes to negative news associated with the debt collection firm. The company has received numerous complaints made against it on the Consumer Financial Protection Bureau (CFPB) website, and received a terrible “F” rating from the Better Business Bureau, with another span of complaints over a period of three years.
As the true scale of the breach still isn’t clear at this stage, countless other AMCA partners may come forward in the coming weeks to report that their patients have been similarly affected.
How to Avoid a Similar Data Breach in Your Organisation
A breach of this extent can have a huge impact on any business, but there are ways of reducing the risk, and possibly avoid comprised data completely. Best practice suggests taking any sensitive information “out of scope”, removing it from the corporate network and environment. For customer cardholder data (CHD), this can be done using a third-party payment solutions provider, such as Key IVR, who offer an industry leading PCI-DSS Level 1 secure web payments service that processes valuable card details safely and securely.