Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

Healthcare Breach Expands to 19.6 Million Patient Accounts

LabCorp says its third-party debt-collection provider, AMCA, notified the company that information on 7.7 million patients had leaked. Expect more healthcare companies to come forward.

A second large healthcare company has come forward to acknowledge that customer information sent to a third-party debt-collection firm likely was compromised.

In a June 4 filing, medical diagnostics firm LabCorp notified the US Securities and Exchange Commission that the company had used the services of American Medical Collection Agency (AMCA) to collect past due medical bills from 7.7 million patients. The debt-collection firm notified LabCorp that an unknown person or group had accessed data on LabCorp's customers between August 1, 2018 and March 1, 2019.

The exposed information included the customer's name, date of birth, address, phone, date of service, provider, and balance information, as well as payment-account information, if the patient had attempted to pay their bill, according to the SEC filing. 

"AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed," LabCorp stated in the filing. "AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them."

LabCorp's notification comes a day after a rival medical-services firm Quest Diagnostics revealed that the breach of AMCA's website left information on 11.9 million of its customers at risk.

AMCA has not provided the public with a list of its clients, potentially all of whose customers may have been put at risk by the security lapse on the company's website. On June 5, the company provided an updated statement to Dark Reading, stating it is investigating the unauthorized access of its website and that it planned to provide 24 months of credit monitoring to people affected.

"Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page," AMCA said in the statement. "We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security."

The debt-collection company plans to provide "24 months of credit monitoring to anyone who had a social security number or credit card account compromised," according to the statement.

The size of the breach could quickly grow, depending on the number of AMCA clients impacted by the breach, and how many each of those clients referred to AMCA for collection, says Avivah Litan, distinguished analyst with business intelligence firm Gartner.

"It is anyone's guess, but it could end up affecting all of their customers," she says. "It could very well be huge. It could make Equifax look like a run-of-the-mill breach."

The compromise of Equifax's database put information on more than 145 million Americans—the majority of adults in the country—at risk. 

AMCA's data breach also underscores the danger of third-party providers. AMCA acts as the custodian of financial information for those patients whose files are sent to debt collection. The company accumulates sensitive information from all its clients, but patients rely on the original provider—LabCorp and Quest Diagnostics, in the lastest compromise—to keep their information safe, says Fred Kneip, CEO of compliance-service provider CyberGRX.

"It's natural for healthcare companies to do business with third-party vendors, but it's critical that they understand and take the actions necessary to mitigate the cyber risks associated with integrated partner ecosystems," Kneip said in a statement. "Patients place their trust in healthcare providers to protect their data, so it is the provider's responsibility to protect that data both within their network and beyond to their third parties, ensuring visibility into network ecosystems as well as conducting regular evaluations of their security posture."

There is very little that patients can do to hold suppliers accountable for the security of their information—they rely on the original service provider, said Michael Covington, vice president of product strategy at Wandera, a mobile security provider. 

"You can't stop going to the doctor because you're afraid of a data breach," he said in a statement. "Your physician, hospital, pharmacy and diagnostics provider all must access your data to keep you healthy. And each one of those 'service providers' uses third-parties—many of whom are unvetted from an IT security perspective—to enable their business."

Until the government puts additional pressure on service providers or suppliers feel the pain of failing to protect their custodial data, the situation will not improve, says Gartner's Litan.

"The ones who get hurt in the end are the consumer," she says. "The only ones who do a decent job of regulating are the credit card company, because they have to pay for any fraud."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.