Not-dear Security Breach, When Will Your Reign End?

LabCorp Security Breach

Tragedy has struck again this week! LabCorp released a statement that their collection agency, American Medical Collection Agency (AMCA), experienced a data breach from August 1, 2018 to May 30, 2019. This occurred on the payment pages of their website. The breach is said to have affected 7.7 million customers of LabCorp. It includes leaked names, birthdates, addresses, phone numbers, dates of service, provider, balance information, as well as credit card information and bank account information of those who used the payment website of AMCA to pay their bill.

LapCorp reported in a filing to the U.S. Securities and Exchange Commission made earlier this week that “they provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

AMCA is currently working to send an email notifying 200,000 customers of LabCorp that their payment information used on their website was compromised.

LabCorp was not the only corporation affected by this breach. AMCA also informed Quest Diagnostics that 11.9 million of their customers’ medical, personal, and payment information was leaked, including Social Security Numbers and credit card information. AMCA first informed Quest Diagnostics of the breach on May 14, but they were not given the number of customers affected until earlier this week. Additionally, Quest Diagnostics claimed that AMCA is still withholding specific information about the data breach.

AMCA released a statement about the breach: “We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

They also stated that they “hired a third-party external forensics firm to investigate any potential security breach in [their] systems, migrated [their] web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase [their] systems’ security.” They also reported the incident to law enforcement and said, “We remain committed to our system’s security, data privacy, and the protection of personal information.”

When reporting on this latest security incident, KrebsonSecurity predicts we will see other companies affected by this breach: “Today’s disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident.” With a total of 19.6 million consumers’ data compromised–12 million including sensitive medical information–this is already turning out to be one of the largest healthcare data breaches ever recorded, reports HIPAA Journal. The effects of this data breach is quickly becoming a nightmare for all parties involved, and will haunt the companies and individuals affected for years to come.