+1 (866) 558-3328

Quest Diagnostics Inc. reported that approximately 11.9 million of its patients were compromised in a data breach, targeting financial information and other data, from August 1st of 2018 through March 30th of this year. The data breach specifically targeted collections firm American Medical Collection Agency (AMCA) and their online payment page. AMCA’s online payment page provides collection services to Optum360, which is a contractor for Quest Diagnostics. In a statement made by Quest, the data breach involved credit card numbers, bank account information, social security numbers, and medical information. However, it did not affect laboratory test results. A data-security firm has announced that approximately 200,000 payment card numbers are being sold on the dark web, stolen from a collections firm serving diagnostic laboratories. The data-security firm states that even more is expected to come up for sale.

What’s Being Sold

data breach of quest diagnostics and AMCA affect millions of patients

Gemini Advisory, LLC, a New York-based company that monitors the dark web to find clients’ stolen data, said that it first “identified a large number of compromised payment cards” on Feb. 28. About 15% of the records stolen also included important information such as dates of birth, social security numbers, addresses, and email addresses. According to Christopher Thomas, an intelligence production analyst at Gemini Advisory, all of the compromised financial data spotted on the dark web so far consist of payment cards, not bank account information.

“While 200,000 records have currently been posted for sale, it is common for cybercriminals to post compromised data to the Dark Web in installments, so the number of records may well increase.” -Christopher Thomas, Gemini Advisory.

SEE: New Debt Collector Rule for the Modern Age

Data Breach Will Get Worse

data breach of quest diagnostics and amca from medical collection agency

It’s important to note that Quest Diagnostics is not AMCA’s only client. LabCorp, another big diagnostics firm, said in a regulatory filing that it sent personal—and financial—data on 7.7 million consumers to AMCA.

“AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.” -LabCorp.

After finding the card numbers on the dark web, Gemini Advisory researchers concluded they came from something other than an online retailer. According to Thomas, “Since the records we observed contained information such as date of birth and Social Security number, we determined that the compromised records came from an online portal that requires more personally identifiable information than average online retailers.”

SEE: 5 Debt Collection Tips for Business Owners

AMCA in Question

AMCA data breach online payment system offline

According to Gemini Advisory, AMCA took its online payment portal offline from April 8th to May 2nd. Gemini Advisory also said it alerted AMCA about this breach, but received no response. Quest Diagnostics, meanwhile, said in a statement that “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data-security incident, including which information of which individuals may have been affected.”

When it comes to exactly how the breach happened, that hasn’t been revealed. However, in a statement, AMCA said that an “unauthorized user” accessed its system. The statement continues:

“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our Web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”

The collections firm also said it’s providing 24 months of credit monitoring to anyone who had either a social security number or credit card account compromised, even if their state doesn’t require it.

Southwest Recovery

Southwest Recovery Services is the most trusted collection agency in Dallas and Houston. Follow us for more information on collection agencies, collecting debt, and industry news.