Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Medical Debt Collector Breach Highlights Supply Chain Dangers

The breach of the website of American Medical Collection Agency leaves the personal and financial information of nearly 12 million patients at risk.

Medical testing provider Quest Diagnostics announced on Monday that the information of about 11.9 million of its patients — including their dates of birth and Social Security numbers — had been put at risk due to a breach of the website of a fourth-party supplier of debt-collection services dating as far back as August 2018.

The supplier, American Medical Collection Agency (AMCA), provides debt-collection services to Optum360, a medical billing service, which in turn is contracted by Quest. AMCA only notified Quest and Optum of the breach on May 14, and has not provided detailed information, Quest claimed in a notice posted on June 3.

"Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."

The incident underscores the threat that third-party — and, in this case, fourth-party — suppliers can pose to their clients, especially if the suppliers do not have a mature security program. 

"This was a breach through a vendor in their supply chain and shows that, however good your security strategy is, it can only ever be as good as the weakest link in the chain—and that could easily be a third party," Laurence Pitt, security strategy director at Juniper Networks, wrote in a statement sent to Dark Reading. "It's essential to evaluate security for every link in the supply chain, and data-protection regulations enforce this. You cannot outsource security responsibility."

AMCA has struggled to respond to the breach. In early March, threat intelligence firm Gemini Advisory notified the company that it had found caches of financial details for sale on the Dark Web that led back to its customer base. Gemini Advisory never received a response to its outreach, and so notified law enforcement as well.

"It's not the first time we had the same (non-)response," says Stanislav Alforov, director of research and development for Gemini Advisory. "It seems like that everyone is always in denial — like there are seven stages to being breached and the first one is denial."

Because AMCA claims to handle more than $1 billion in receivables every year, a breach of its service likely affects other medical providers as well. However, the company has not provided any comprehensive information to Quest or Optum360. 

"AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected," Quest Diagnostics stated on June 3. "And Quest has not been able to verify the accuracy of the information received from AMCA."

AMCA has hired crisis management firm Brunswick Group, which provided a statement to Dark Reading on the breach, saying that following the notification, it conducted an internal review and shut down its web payments page.

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security," AMCA said in the statement. "We have also advised law enforcement of this incident."

While the information leaked does not include diagnostic results, according to Quest, the inclusion of the dates of birth and Social Security numbers makes the data much more complete and therefore more valuable, says Giovanni Vigna, co-founder and CTO of network security provider Lastline.

"Customers impacted may now have to deal with identity theft — this requires a significant amount of time to handle — including the recovery of damaged credit scores while also fixing fraudulent charges on credit cards," he says.

Gemini Advisory expects more medical firms to notify their customers that their information has been compromised. While the company only found information on slightly more than 200,000 people on the Dark Web, cybercriminals often post only a subset of stolen accounts, Alforov says.

"I think you will start hearing from other affected clients going forward," he says. "This data so far is only from Quest Diagnostic clients, just the ones that were sent to collections. Those were the card holders that were affected."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
CVE-2019-6329
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.