Update: 2 million patients of yet another health care provider had their personal and financial data exposed in massive breach

June 3, 2019

By Kim Komando

UPDATE: July 18, 2019

Yet another health care company has been affected by the massive data breach at American Medical Collection Agency (AMCA). Clinical Pathology Laboratories (CPL) reports 2.2 million patients may have had their personal and financial data stolen.

CPL says the names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information may have been stolen in the AMCA breach. CPL added that the credit card or banking information of another 34,500 patients was compromised.

CPL said the breach was limited to U.S. residents. The company blames AMCA for not providing enough details when the breach was first disclosed.

The company told TechCrunch that the lack of information prevented CPL from identifying “potentially affected patients or confirm the nature of patient information potentially involved in the incident …”


UPDATE: June 5, 2019

There’s more fallout from the recent data breach at American Medical Collection Agency (AMCA), as another health care client says millions of their patient records have been also been exposed. In addition to Quest Diagnostics Inc. the breach now involves LabCorp, which also runs numerous lab testing facilities around the country.

According to a filing with the U.S. Securities and Exchange Commission, LabCorp said they were recently notified about the breach, noting that they have the information of 7.7 million people stored on AMCA’s affected system. That information includes full names, dates of birth, addresses, phone numbers, dates of service, providers, balance information and in some cases, bank account and credit card info. Like Quest, LabCorp says no test results were compromised.

The filing also says that AMCA is in the process notifying 200,000 LabCorp customers whose financial data could have been accessed, while also offering them identity protection and credit monitoring services for two years. LabCorp has also stopped working with AMCA.


What you need to know

Data breaches impact everything from social media platforms to fast food restaurants. And when they inevitably make headlines, all anyone can really hope is that they were accidental and on a small scale.

Then there is the worst kind of breaches, those that impact a large number of the population while also exposing some of your most sensitive information. And many are the direct work of hackers, meaning your private data is at far greater risk.

This latest breach is, unfortunately, one of those “perfect storms” involving millions of people. Not only that, in this case, hackers had access to some of the most sensitive information you can imagine like medical records, financial information, and even Social Security numbers. The worst part is, this went on for months before being discovered.

Millions of personal records hacked

This latest breach involves the New York-based American Medical Collection Agency (AMCA). As the name implies, it’s a collections service provider that works with various medical organizations including Quest Diagnostics Inc. If you’re not familiar, Quest runs more than 2,000 medical testing facilities across the U.S. with a major focus on blood/drug testing.

Quest said in a securities filing that on May 14, AMCA informed Quest of “potentially unauthorized activity” on AMCA’s payment page.

Later that month, AMCA provided additional details to Quest and Optum360 LLC, saying between August 1, 2018, and March 30, 2019, an unauthorized user had access to AMCA’s web payment system – which contains personal information from various entities, including 11.9 million Quest patients.

What was exposed

The compromised data reportedly included financial details, such as banking information and credit card numbers, medical records (excluding lab test results) and even Social Security numbers. Having access for eight months could potentially be devastating, but it’s unclear just how far-reaching it could be.

Quest says AMCA has not yet provided detailed info about the breach, including which specific patients were affected. It also stressed they haven’t been able to verify the accuracy of details provided by AMCA. Quest is now working with forensics experts and has suspended sending collection requests to AMCA. (Read Quest’s full statement by clicking or tapping here)

Here’s what they said

AMCA released the following statement to komando.com, but they didn’t address any other companies that could have been impacted:

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

AMCA

Note: Optum360 LLC (part of UnitedHealth Group Inc.) uses AMCA for billing services and is a contractor for Quest and they released the following statement to komando.com: “While Optum360 data systems were not impacted by this situation, data security is critically important to us, and we are actively working with Quest and AMCA to understand this issue and ensure appropriate actions are being taken.”

It hasn’t been a good year when it comes to data breaches in the medical field. Medical software developer Mediate Software Inc. was found to be leaking patient records through an open server in March.

Just days later, we learned of a breach involving medical device and software company ZOLL Medical Corporation. Then in April, another breach exposed medical information of patients receiving treatment for addiction.

Monitor and protect your sensitive information

In these situations, most companies say they’ll contact affected customers but don’t just assume that’ll be the case. Your data could still be exposed, whether you hear from them or not.

Routine data checkups are important regardless, even if you have no reason to believe your information has been exposed. In cases like this, one key component is keeping a very close eye on your financial records. Scammers with credit card numbers alone can do damage, but it’s much, much worse when they have other information to go on like your Social Security number.

RELATED: DATA BREACHES MAKE DEBIT AND CREDIT CARDS DANGEROUS FORMS OF PAYMENT

With those details, cybercriminals will have far less trouble accessing existing accounts (use 2FA when available) to set up new ones in your name.  So it’s not just a risk of fraud, it could lead to major identity theft. If things get bad, you should consider freezing your credit.

Watch for an uptick of suspicious calls, texts or emails as well. Crooks with some of your info are probably going to want more of it, so they’ll try to trick you through various phishing scams. On that note, test yourself to find out just how knowledgable you are when it comes to staying safe online.

https://www.komando.com/tips/cybersecurity/data-breach-exposes-millions-of-medical-records/