Data Breaches Compromise Records of Nearly 20 Million

Medical testing company LabCorp. said Tuesday that personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That company, the American Medical Collection Agency (AMCA), also recently notified another medical testing giant, Quest Diagnostics, that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

In a filing with the U.S. Securities and Exchange Commission, LabCorp. said it learned that the breach at AMCA began in August 2018 and ran thru March 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the filing reads. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

LabCorp further said the AMCA has informed LabCorp “it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

The LabCorp disclosure comes just days after competing lab testing firm Quest Diagnostics disclosed that the hack of AMCA exposed the personal, financial and medical data on approximately 11.9 million patients.

Quest said it first heard from the AMCA about the breach on May 14, but that it wasn’t until two weeks later that AMCA disclosed the number of patients affected and what information was accessed, which includes financial information (e.g., credit card numbers and bank account information), medical information and Social Security Numbers.

Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. Much like LabCorp, Quest also alleges the AMCA still hasn’t said which 11.9 million patients were impacted and that the company was withholding information about the incident.

The AMCA declined to answer any questions about whether the breach of its payment’s page impacted anyone who entered payment data into the company’s site during the breach.

This is the latest example of a breach at a little-known company that holds vast quantities of sensitive data that was being shared or stored in ways that were beyond the control of affected consumers.

Less than two weeks ago news broke that the Web site for Fortune 500 real estate title insurance giant First American Financial leaked 885 million documents related to mortgage deals going back to 2003. The digitized records including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images were available without authentication to anyone with a Web browser.

More than 11.6 billion personal records have been exposed in data breaches since 2005. CUNA and the state leagues have been and will continue to press Capitol Hill lawmakers to establish a national data security standard that subjects all entities with access to personal financial data to the same privacy protections as financial institutions under Graham-Leach-Bliley, and holds any entity found responsible for a data breach liable for the resulting card reissuing and fraud costs.