Attackers breach collections agent for Quest Diagnostics and LabCorp exposing 20 million...

Cal Jeffrey

TS Evangelist
Staff member

Close to 20 million Quest Diagnostics and LabCorp patient records were exposed in a breach of a third-party company that they both use.

According to a Securities and Exchange Commission (SEC) filing on Monday, Quest reported that 11.9 million of its records were compromised by a security breach of its collections provider American Medical Collection Agency (AMCA). Then on Tuesday, LabCorp said that 7.7 million of its records were also exposed to the same AMCA intrusion.

The attack targeted the AMCA’s website and skimmed personal information that included patient names, birth dates, addresses, phone numbers, dates of service, providers, and account balance. Additionally, LabCorp confirmed that nearly 200,000 patients also had their credit card or bank information stolen.

Medical data, including history and lab results, were not compromised.

According to Quest’s SEC filing, the AMCA’s systems were breached on August 1, 2018. The vulnerability was not discovered until March 30 of this year.

There is no indication as to who was behind the breach, but the methods used are similar to those seen last year against big companies including British Airways, Newegg, and Ticketmaster. The group behind those intrusions, known as Magecart, used malicious Javascript injected into the victim websites to siphon off data and send it to the attackers through a secondary domain.

It is unclear if AMCA was only used for collections of accounts that were in default or if it handled billing in general. If you are a Quest Diagnostics or LabCorp customer, you might want to keep your eye on your accounts for any suspicious activity.

Image credit: Ken Wolter / Shutterstock.com

Permalink to story.

 

Uncle Al

TS Evangelist
Couldn't happen to a more deserving company. Quest has a long record of double & triple billing their patients, completely screwing up test results, and of course, denigrating anyone that reports them. They are so bad the large medical practice I go to dropped them within 90 days of trying them ..... nuff said!
 

Dimitrios

TS Guru
Couldn't happen to a more deserving company. Quest has a long record of double & triple billing their patients, completely screwing up test results, and of course, denigrating anyone that reports them. They are so bad the large medical practice I go to dropped them within 90 days of trying them ..... nuff said!
In what state?
 

treetops

TS Evangelist
I wonder how much more it would cost and how much high end companies would be willing to pay for the security of the old filing cabinet\paper system.
 
  • Like
Reactions: Cal Jeffrey

Kinemon

TS Rookie
So the company that everyone is sent to for invasive pre-employment drug screens lost all the personal info nobody wanted to give them in the first place, great. Another company profiting from the war on drugs.