LabCorp data also compromised by breach at AMCA

LabCorp, a major medical testing firm, is the latest entity to be embroiled in the huge data breach experienced by Quest Diagnostics.

Both Quest and LabCorp were affected through a breach that impacted American Medical Collection Agency, a billing and collections firm that serves as a business associate to both.

The company says it has been notified by American Medical Collection Agency about unauthorized activity on AMCA’s web payment page, with the activity occurring between Aug. 1, 2018, and March 30 of this year. LabCorp had referred 7.7 million consumers to business associate AMCA, and consumer data was stored in the AMCA system.

The LabCorp incident could affect as many as 200,000 consumers, according to a Securities and Exchange Commission filing by LabCorp.

LabCorp-CROP.jpg

Earlier this week, Quest Diagnostics reported the AMCA breach affected 11.9 million of its patients.

Also See: How to gain effectiveness as a cybersecurity leader

LabCorp’s SEC filing suggests that potentially compromised data stored by AMCA could have included first and last names, dates of birth, addresses, phone numbers, dates of service, providers and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA for those who sought to pay their balance,” according to the SEC filing.

LabCorp provided no ordered test, laboratory results or diagnostic information to AMCA, which has advised LabCorp that Social Security numbers and insurance identification information are not stored or maintained for LabCorp.

George Wrenn, founder and CEO at CyberSaint Security, a cyber security platform vendor, says that, because of the interconnectedness of modern business, he would be surprised to not soon learn about other companies affected by the breach.

“Managing, tracking and protecting the data that flows to and from our third parties is critical to cybersecurity resilience and a foundation of privacy best practices,” Wrenn adds. “Organizations have a duty to ensure that third parties are guarding their patients’ personally identifiable information, and this event is certainly evidence of its importance. The prevalence of third-party breaches, as well as the severity, is only increasing as digitization takes over modern business.”

AMCA now is sending breach notifications to 200,000 affected individuals whose credit or bank information may have been improperly accessed. AMCA further has taken steps to increase security and tighten down on the security of data handled by vendors. The business associate also has told LabCorp it intends to provide about 200,000 consumers with more information on the specific incident with AMCA, and offer two years of identity protection and credit monitoring services.

LabCorp has ceased working with AMCA and has stopped the firm from working on any pending collection requests involving LabCorp consumers.

For reprint and licensing requests for this article, click here.