One day after Quest Diagnostics reported that nearly 12 million of its patients were potentially affected by a malicious breach of third-party bill collection vendor American Medical Collection Agency (AMCA), fellow clinical testing firm LabCorp acknowledged that roughly 7.7 million of its customers may be affected by the same incident.
Burlington, North Carolina-based LabCorp publicly disclosed the disturbing news yesterday in a Securities and Exchange Commission 8-K filing, warning that patient data it supplied to AMCA was exposed in the incident, which took place from Aug. 1, 2018 through March 30, 2019. Such information may include names, birth dates, addresses, phone numbers, dates of service, providers and unpaid balances.
Making matters worse, roughly 200,000 customers who paid LabCorp bills using AMCA's web portal had their payment card information compromised, the LabCorp continued. According to the SEC filing, AMCA did not share the identities of these particular victims, but assured the diagnostics company that it had already begun to notify these individuals, and would offer them two years of identity protection and credit monitoring services.
This revelation appears to correspond to a May 10 DataBreaches.net report that said analysts from Gemini Advisory had found a database for sale on the dark web that contained information on about 200,000 individuals. Through their investigative work, Gemini’s analysts eventually linked the stolen data to AMCA.
Social Security numbers, insurance identification information, laboratory tests and results, and diagnostic information were not impacted in the breach, asserted LabCorp, which officially goes by the name Laboratory Corporation of America Holdings.
"AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes and data," the filing said, later adding that in response to the incident LabCorp "ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers."
Between Quest Diagnostics and LabCorp alone, nearly 20 million lab patients have now had their information imperiled, and it's possible many more victims will come to light as other companies using AMCA as a third-party service provider discover their customer data was affected as well.
Security researcher Brian Krebs wrote on his website that a review he conducted of the Consumer Financial Protection Bureau's complaint web page turned up nearly 700 complaints lodged against AMCA, which also operates under the name Retrieval-Masters Credit Bureau. These complaints revealed current or previous business relationships between AMCA and New Jersey's EZPass system as well as American Traffic Solutions, which services rental car companies and processes millions of toll transactions and violations.
"Due to the interconnectedness of modern business, I will be surprised if we do not soon learn about other companies affected by this breach," said George Wrenn, founder and CEO of CyberSaint Security, in emailed comments. "Organizations must be responsible for tracking their third parties, knowing the real-time status of their cybersecurity, data protection, and privacy postures, and identifying their risk tolerance, using this information to request remediation activities and make the most informed partnership decisions possible."
Kevin Gosschalk, CEO of Arkose Labs, said that every third-party vendor is an "added access point" that requires attention, because "as hackers continue to evolve, they will target the endpoints that companies might not actively think of protecting."
The fact that Question Diagnostics said certain medical information (unrelated to lab tests) was exposed and LabCorp acknowledged that insurance and provider information was affected is "troubling," said Brad Keller, program director at Shared Assessments, because "there is no mechanism in place to prevent [the] misuse" of health care information.
"Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised. In addition, financial institutions have programs in place to take corrective action to prevent the unauthorized use of credit cards and accounts once information has been compromised," Keller continued. But, "no such centralized process exists for health care or insurance information, making it extremely difficult to prevent the unauthorized use of this information."
Some cybersecurity and privacy experts have already begun speculating on the regulatory implications of this incident.
"This breach will undoubted bring a hefty fine from [the Department of Health and Human Services'] Office of Civil Rights to ACMA..." predicted Michael Magrath, director of global regulations and standards at OneSpan. "However, what is necessary is for HHS to revisit the HIPAA Security and Privacy [Rules and] tighten the security controls for third parties." Magrath suggested that the New York Department of Financial Services' new Cybersecurity Regulation for financial institutions (23 NYCRR 500) "could serve as the model."
But Tom Garrubba, senior director and CISO of Shared Assessments, suggested that HIPAA already has clear-cut expectations for third-party business associates, under its Omnibus Rules. "Business associates are by law... to handle data with the same care as covered entities... and these B.A.s are to undergo proper due diligence from the covered entity," said Garrubba in comments sent after the Quest disclosure but before LabCorp had made its announcement.
"I'm curious to see how swiftly the Office of Civil Rights... moves in to review the details of the breach with this particular business associate...who was performing the scope of work, and to see what negligence, if any, is on the hands of Quest," Garrubba remarked. "I'm also curious as to the size of the fines to both entities, as the OCR has historically been under a lot of pressure to levy fines of health care breaches."
Following the Quest Diagnostics disclosure, AMCA sent the following statement to SC Media: "We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security. We have also advised law enforcement of this incident."