[BreachExchange] AMCA data breach has now went over the 20 million mark

Destry Winant destry at riskbasedsecurity.com
Sat Jun 15 00:58:46 EDT 2019


https://www.zdnet.com/article/amca-data-breach-has-now-went-over-the-20-million-mark/

A security breach at American Medical Collection Agency (AMCA), a
provider of billing services for the US healthcare sector, has now
exposed the personal and financial information of over 20 million
Americans, possibly more.

The exposed data belongs to Americans who paid laboratory work at
various clinical and blood testing labs across the US and used AMCA's
billing portal.

HACK WENT UNDETECTED FOR MONTHS

The breach, first reported by DataBreaches.net, took place after a
hacker group compromised AMCA's IT network and stole payment
information, which they later put up for sale on carding forums.

Exposed data included names, home addresses, phone numbers, dates of
birth, Social Security numbers, payment card details, and bank account
information.

After being confronted about the hack, AMCA officials admitted to the
security incident, which they said lasted from August 1, 2018, to
March 30, 2019, a period of eight months.

Since officially confirming the breach, several of AMCA's corporate
clients (testing labs) have now also started notifying their own
customers of their billing partner's security snafu.

The list of impacted testing laboratories includes Quest Diagnostics
(11.9 million patients), LabCorp (7.7 million patients), BioReference
Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix
(500,000 patients), and Sunrise Laboratories (undisclosed number of
patients).

Neither AMCA nor its five customers have yet to notify all users
impacted by the breach, which may pose issues for all involved
parties. AMCA initially claimed that only 200,000 patients had their
data stolen by hackers, but subsequent SEC filings by testing
laboratories contradicted its initial statements.

Following the bungled disclosure of these incidents, tens of lawsuits
have been filed around the US, against AMCA, Quest, and LabCorp.

US authorities have also opened investigations into the AMCA breach,
with attorneys general from Connecticut and Illinois being the first
to do so.

In Washington, US Sen. Mark Warner (D-VA) also sent a letter to Quest
Laboratories demanding the company explain its vetting process for
selecting AMCA as a billing vendor, and what requirements a
third-party vendor has to pass.

Democratic New Jersey Sens. Cory Booker and Bob Menendez also sent
letters to AMCA, Quest, and LabCorp, seeking official answers on how a
breach of this severity went undetected for eight months.

Whatever comes next, it's certainly not good for AMCA, with
authorities and the courts expected to come down hard on the billing
vendor.


More information about the BreachExchange mailing list