American Medical Collection Agency (AMCA) suffered a data breach that could impact many of its customers, the company still hasn’t disclosed details.
A filing with the U.S. Securities and Exchange Commission (SEC) Quest revealed that the attackers broke into the web payment portal of the American Medical Collection Agency between August 1, 2018 and March 30, 2019.
AMCA provides services to numerous firms, including the revenue cycle management provider Optum360, medical testing firm Quest Diagnostics, and LabCorp.
The security breach has impacted roughly 12 million of Quest Diagnostics‘ patients and roughly 7.7 of LabCorp patients. After the disclosure of the incident, Labcorp announced the terminations of business activities with AMCA and Quest Diagnostics has suspended sending collection requests to AMCA.
The hackers broke into company databases containing millions of medical test lab patients’ personal and payment information.
“LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp.” reads the Form 8-K filing.
“That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance). LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA.”
AMCA confirmed that Social Security Numbers and insurance identification information are maintained for LabCorp consumers.
AMCA also informed LabCorp that it is sending security breach notices to approximately 200,000 LabCorp consumers whose financial data may have been compromised.
According to DataBreaches.net, stolen data are already fueling dark web, in
“The breach had been discovered by Gemini Advisory, who informed this site that they had found approximately 200,000 patients’ payment card info for sale on a well-known marketplace. The cards had apparently been compromised between September, 2018 and the beginning of March, 2019.” states DataBreaches.net.