Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Medical Debt Collector Breach Highlights Supply Chain Dangers

The breach of the website of American Medical Collection Agency leaves the personal and financial information of nearly 12 million patients at risk.

Medical testing provider Quest Diagnostics announced on Monday that the information of about 11.9 million of its patients — including their dates of birth and Social Security numbers — had been put at risk due to a breach of the website of a fourth-party supplier of debt-collection services dating as far back as August 2018.

The supplier, American Medical Collection Agency (AMCA), provides debt-collection services to Optum360, a medical billing service, which in turn is contracted by Quest. AMCA only notified Quest and Optum of the breach on May 14, and has not provided detailed information, Quest claimed in a notice posted on June 3.

"Quest is taking this matter very seriously and is committed to the privacy and security of our patients' personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA."

The incident underscores the threat that third-party — and, in this case, fourth-party — suppliers can pose to their clients, especially if the suppliers do not have a mature security program. 

"This was a breach through a vendor in their supply chain and shows that, however good your security strategy is, it can only ever be as good as the weakest link in the chain—and that could easily be a third party," Laurence Pitt, security strategy director at Juniper Networks, wrote in a statement sent to Dark Reading. "It's essential to evaluate security for every link in the supply chain, and data-protection regulations enforce this. You cannot outsource security responsibility."

AMCA has struggled to respond to the breach. In early March, threat intelligence firm Gemini Advisory notified the company that it had found caches of financial details for sale on the Dark Web that led back to its customer base. Gemini Advisory never received a response to its outreach, and so notified law enforcement as well.

"It's not the first time we had the same (non-)response," says Stanislav Alforov, director of research and development for Gemini Advisory. "It seems like that everyone is always in denial — like there are seven stages to being breached and the first one is denial."

Because AMCA claims to handle more than $1 billion in receivables every year, a breach of its service likely affects other medical providers as well. However, the company has not provided any comprehensive information to Quest or Optum360. 

"AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected," Quest Diagnostics stated on June 3. "And Quest has not been able to verify the accuracy of the information received from AMCA."

AMCA has hired crisis management firm Brunswick Group, which provided a statement to Dark Reading on the breach, saying that following the notification, it conducted an internal review and shut down its web payments page.

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security," AMCA said in the statement. "We have also advised law enforcement of this incident."

While the information leaked does not include diagnostic results, according to Quest, the inclusion of the dates of birth and Social Security numbers makes the data much more complete and therefore more valuable, says Giovanni Vigna, co-founder and CTO of network security provider Lastline.

"Customers impacted may now have to deal with identity theft — this requires a significant amount of time to handle — including the recovery of damaged credit scores while also fixing fraudulent charges on credit cards," he says.

Gemini Advisory expects more medical firms to notify their customers that their information has been compromised. While the company only found information on slightly more than 200,000 people on the Dark Web, cybercriminals often post only a subset of stolen accounts, Alforov says.

"I think you will start hearing from other affected clients going forward," he says. "This data so far is only from Quest Diagnostic clients, just the ones that were sent to collections. Those were the card holders that were affected."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
CVE-2020-7222
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB 3.2.1.453504. The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...