Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Medical Debt Collector Breach Highlights Supply Chain Dangers

The breach of the website of American Medical Collection Agency leaves the personal and financial information of nearly 12 million patients at risk.

Medical testing provider Quest Diagnostics announced on Monday that the information of about 11.9 million of its patients — including their dates of birth and Social Security numbers — had been put at risk due to a breach of the website of a fourth-party supplier of debt-collection services dating as far back as August 2018.

The supplier, American Medical Collection Agency (AMCA), provides debt-collection services to Optum360, a medical billing service, which in turn is contracted by Quest. AMCA only notified Quest and Optum of the breach on May 14, and has not provided detailed information, Quest claimed in a notice posted on June 3.

"Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."

The incident underscores the threat that third-party — and, in this case, fourth-party — suppliers can pose to their clients, especially if the suppliers do not have a mature security program. 

"This was a breach through a vendor in their supply chain and shows that, however good your security strategy is, it can only ever be as good as the weakest link in the chain—and that could easily be a third party," Laurence Pitt, security strategy director at Juniper Networks, wrote in a statement sent to Dark Reading. "It's essential to evaluate security for every link in the supply chain, and data-protection regulations enforce this. You cannot outsource security responsibility."

AMCA has struggled to respond to the breach. In early March, threat intelligence firm Gemini Advisory notified the company that it had found caches of financial details for sale on the Dark Web that led back to its customer base. Gemini Advisory never received a response to its outreach, and so notified law enforcement as well.

"It's not the first time we had the same (non-)response," says Stanislav Alforov, director of research and development for Gemini Advisory. "It seems like that everyone is always in denial — like there are seven stages to being breached and the first one is denial."

Because AMCA claims to handle more than $1 billion in receivables every year, a breach of its service likely affects other medical providers as well. However, the company has not provided any comprehensive information to Quest or Optum360. 

"AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected," Quest Diagnostics stated on June 3. "And Quest has not been able to verify the accuracy of the information received from AMCA."

AMCA has hired crisis management firm Brunswick Group, which provided a statement to Dark Reading on the breach, saying that following the notification, it conducted an internal review and shut down its web payments page.

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security," AMCA said in the statement. "We have also advised law enforcement of this incident."

While the information leaked does not include diagnostic results, according to Quest, the inclusion of the dates of birth and Social Security numbers makes the data much more complete and therefore more valuable, says Giovanni Vigna, co-founder and CTO of network security provider Lastline.

"Customers impacted may now have to deal with identity theft — this requires a significant amount of time to handle — including the recovery of damaged credit scores while also fixing fraudulent charges on credit cards," he says.

Gemini Advisory expects more medical firms to notify their customers that their information has been compromised. While the company only found information on slightly more than 200,000 people on the Dark Web, cybercriminals often post only a subset of stolen accounts, Alforov says.

"I think you will start hearing from other affected clients going forward," he says. "This data so far is only from Quest Diagnostic clients, just the ones that were sent to collections. Those were the card holders that were affected."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15224
PUBLISHED: 2019-08-19
The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
CVE-2019-15225
PUBLISHED: 2019-08-19
In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
CVE-2019-15223
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
CVE-2019-15211
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
CVE-2019-15212
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.