Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Medical Debt Collector Breach Highlights Supply Chain Dangers

The breach of the website of American Medical Collection Agency leaves the personal and financial information of nearly 12 million patients at risk.

Medical testing provider Quest Diagnostics announced on Monday that the information of about 11.9 million of its patients — including their dates of birth and Social Security numbers — had been put at risk due to a breach of the website of a fourth-party supplier of debt-collection services dating as far back as August 2018.

The supplier, American Medical Collection Agency (AMCA), provides debt-collection services to Optum360, a medical billing service, which in turn is contracted by Quest. AMCA only notified Quest and Optum of the breach on May 14, and has not provided detailed information, Quest claimed in a notice posted on June 3.

"Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."

The incident underscores the threat that third-party — and, in this case, fourth-party — suppliers can pose to their clients, especially if the suppliers do not have a mature security program. 

"This was a breach through a vendor in their supply chain and shows that, however good your security strategy is, it can only ever be as good as the weakest link in the chain—and that could easily be a third party," Laurence Pitt, security strategy director at Juniper Networks, wrote in a statement sent to Dark Reading. "It's essential to evaluate security for every link in the supply chain, and data-protection regulations enforce this. You cannot outsource security responsibility."

AMCA has struggled to respond to the breach. In early March, threat intelligence firm Gemini Advisory notified the company that it had found caches of financial details for sale on the Dark Web that led back to its customer base. Gemini Advisory never received a response to its outreach, and so notified law enforcement as well.

"It's not the first time we had the same (non-)response," says Stanislav Alforov, director of research and development for Gemini Advisory. "It seems like that everyone is always in denial — like there are seven stages to being breached and the first one is denial."

Because AMCA claims to handle more than $1 billion in receivables every year, a breach of its service likely affects other medical providers as well. However, the company has not provided any comprehensive information to Quest or Optum360. 

"AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected," Quest Diagnostics stated on June 3. "And Quest has not been able to verify the accuracy of the information received from AMCA."

AMCA has hired crisis management firm Brunswick Group, which provided a statement to Dark Reading on the breach, saying that following the notification, it conducted an internal review and shut down its web payments page.

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security," AMCA said in the statement. "We have also advised law enforcement of this incident."

While the information leaked does not include diagnostic results, according to Quest, the inclusion of the dates of birth and Social Security numbers makes the data much more complete and therefore more valuable, says Giovanni Vigna, co-founder and CTO of network security provider Lastline.

"Customers impacted may now have to deal with identity theft — this requires a significant amount of time to handle — including the recovery of damaged credit scores while also fixing fraudulent charges on credit cards," he says.

Gemini Advisory expects more medical firms to notify their customers that their information has been compromised. While the company only found information on slightly more than 200,000 people on the Dark Web, cybercriminals often post only a subset of stolen accounts, Alforov says.

"I think you will start hearing from other affected clients going forward," he says. "This data so far is only from Quest Diagnostic clients, just the ones that were sent to collections. Those were the card holders that were affected."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19317
PUBLISHED: 2019-12-05
lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.
CVE-2019-19602
PUBLISHED: 2019-12-05
fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact because of incorrect fpu_fpregs_owner_ctx caching, as demonstr...
CVE-2019-19601
PUBLISHED: 2019-12-05
OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of an incorrect sprintf.
CVE-2019-19589
PUBLISHED: 2019-12-05
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives.
CVE-2019-19597
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.