Update
LabCorp and Quest hit with data breach, 19.6m patients potentially affected
The American Medical Collection Agency (AMCA) is the contracted collector of service revenues for both LabCorp and Quest Diagnostics. The provider has informed both companies that an unauthorized user had access to AMCA’s system containing data from various companies.
Quest Diagnostics on Monday released a public statement addressing the data breach. LabCorp is not providing any further statement on the topic outside of its from 8-K filing with the Securities and Exchange Commission (SEC) dated June 4, 2019.
In its press release, Quest stated that the AMCA first notified Quest and Optum360 – a Quest contractor – of “potential unauthorized activity on AMCA’s web payment page” on May 14, 2019.
Read: Third-party vendors a cybersecurity risk for big pharma?
The affected system included information about approximately 11.9m Quest patients, according to the company. This information is believed to include certain financial data, Social Security numbers, and medical information – but not lab test results.
“AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA,” according to Quest, which has suspended its collection requests to the AMCA.
LabCorp
According to AMCA, the unauthorized activity at LabCorp occurred between August 1, 2018, and March 30, 2019. The affected system included data from approximately 7.7m consumers, per the SEC filing.
According to the company, this information could include first and last name, date of birth, address, phone, date of service, provider, and balance information, as well as credit card or bank account information provided by the consumer; Though, LabCorp had not provided AMCA with information about ordered tests, lab results, or diagnostic information.
AMCA is currently notifying approximately 200,000 LabCorp consumers whose financial information may have been accessed during the breach.
“AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months,” according to the SEC filing.
LabCorp has ceased sending collection requests to AMCA and halted any pending work.
Vendor security
The incident at LabCorp and Quest closely follows a data breach at Charles River, which in late May notified clients of unauthorized access into portions of its information systems. The contract services provider detected unusual activity in mid-March and quickly began an investigation in coordination with US federal law enforcement.
In a form 8-K filing dated April 30, 2019, Charles River explained “some client data was copied by a highly sophisticated, well-resourced intruder,” though the investigation remains ongoing.
These attacks all highlight the challenge of keeping data secure, as the industry increasingly recognizes these potential threats.
Frameworks, such as those published by the National Institute of Standards and Technology (NIST), are helping guide efforts to mitigate these risks. Additionally, companies are forming alliances, such as through the Health Information Sharing and Analysis Center (H-ISAC), establishing working groups to develop best practices.
Exostar SVP of Innovation and Informatics Vijay Takanti previously told us, “It’s not so much that an attack could happen through the third party, but that it could happen to the third party.”
As he explained, cybersecurity is a bigger issue and it is not about just information and communication technology (ICT) suppliers, but all third-party suppliers, “That is a big, big shift.”
Update:
AMCA has provided the following statement addressing the breach:
"We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.
We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident."
