Submitted via IRC for SoyCow4463
A security breach at a billing company has resulted in nearly 20 million patients of LabCorp and Quest Diagnostics getting their information stolen from them. The breach was first disclosed Monday by Quest Diagnostics, which reported in a Securities and Exchange Commission filing that a breach at third-party collections vendor American Medical Collection Agency (AMCA) compromised 11.9 million customers. Today, LabCorp indicated that 7.7 million of its patients were also affected by the AMCA breach.
The attack targeted at AMCA's website is just the latest in a series of breaches that have managed to skim personal information from major companies. Similar attacks hit British Airways, Ticketmaster and Newegg late last year.
Source: https://www.engadget.com/2019/06/05/quest-diagnostics-labcorp-amca-data-breach/
Previously: Billing Details for 11.9M Quest Diagnostics Clients Exposed
Related Stories
Billing Details for 11.9M Quest Diagnostics Clients Exposed
Quest Diagnostics Incorporated, a Fortune 500 diagnostic services provider, says that approximately 12 million of its clients may have been impacted by a data breach reported by one of its billing providers.
The company reported to the U.S. Securities and Exchange Commission (SEC) that it received a notification from its billing collection provider American Medical Collection Agency (AMCA) that their web payment page was breached.
According to its website, AMCA is "managing over $1BN in annual receivables for a diverse client base" and it is the "leading recovery agency for patient collection," servicing "laboratories, hospitals, physician groups, billing services, and medical providers all across the country."
As detailed in the SEC notification from Quest Diagnostics, AMCA informed the company that "between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself."
Quest Diagnostics states that it took the following measures after being informed of the incident:
(Score: 1, Informative) by Anonymous Coward on Thursday June 13 2019, @01:42PM (4 children)
We recently had this story [soylentnews.org] about the Quest Diagnostics breach.
(Score: 2) by takyon on Thursday June 13 2019, @01:44PM (2 children)
added
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Interesting) by bzipitidoo on Thursday June 13 2019, @05:50PM (1 child)
I wish people would stop using the words "stolen" or "loss" to describe these data breaches. Was the data deleted? Or encrypted, for ransom? No? Then it's not lost or stolen, it is only copied. Quite bad enough that a whole lot of privacy was compromised. However, the keepers of all that data still have the data. CAll it what it is: a breach, of privacy.
I realize there's a long tradition of this misuse of the verb "to steal". Spies "steal" secrets. Artists "steal" each others' ideas. This usage has long been a histrionic way to overemphasize the severity of the supposed transgression.
As for any security compromises, we understand that large organizations practice bad security. Why was sensitive data not encrypted? And, in many ways worse, why this persistence in treating publicly visible data, such as credit card and Social Security numbers, as if they are big secrets? It's like complaining about packet sniffing because it breaks the supposed security of Telnet, which sends passwords in the clear, when all along we have SSH. 09F9 1102 9D74 E35B DB41 56C5 6356 88C0. Let's not be distracted by all this hyperventilating over the "thieves" who obtained copies of all this data and whom the victims would probably like to see executed by hanging from the neck until dead, when these organizations are too cheap and dimwitted to put a lock on the door, wanting to cry that some rude people let themselves in without even the courtesy of knocking first. They'd rather practice "security by fear". Make the punishment so harsh that no one dares walk through a wide open doorway. Then they don't even have to pay to have a door put in the frame.
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @06:00PM
exactly. these companies don't want to do their jobs in regards to security then try to make the "thieves" out to be some sort of masterminds. no, you sacks of shit are guilty of gross negligence.
(Score: 2) by DeathMonkey on Thursday June 13 2019, @06:12PM
Nothing to worry about folks! Our resident Trump supporters all assure me that hacking is all fake news.
(Score: 3, Insightful) by SemperOSS on Thursday June 13 2019, @02:12PM (2 children)
As a software architect who mostly work directly for public services and for their suppliers, I find it very difficult to get developers to take security seriously beyond token measures to cover the bare minimum. Trying to get people higher up in the hierarchy to take action is probably even more difficult as their bonus targets are cost and delivery time, both of which could be affected negatively by doing security right — at least in their books. As long as that is the case and as long as specific security measures are not baked in to the tenders and contracts, this is not going to change.
I don't need a signature to draw attention to myself.
Maybe I should add a sarcasm warning now and again?
(Score: 1, Insightful) by Anonymous Coward on Thursday June 13 2019, @05:17PM
It seems that the most direct way to solve this long term is to make it far more expensive for them when the inevitable data breach occurs than it would have been to get their product out the door at minimum cost and on time delivery; make them pay huge exorbitant fines and possible jail time to boot and then they will start to take security issues seriously. While the stick is rather a brute force method to get them to do the right thing, I don't see much of any carrot to offer instead.
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @06:02PM
those aren't "developers" those are windows and mac users.
(Score: 3, Interesting) by Coward, Anonymous on Thursday June 13 2019, @02:33PM (1 child)
Of all the presidential candidates, Warren has been most consistent about holding corporate feet to the fire. She recently proposed a bill [theverge.com] that would hold executives responsible for data breaches.
(Score: 3, Funny) by DeathMonkey on Thursday June 13 2019, @06:40PM
How dare you support policies that might help solve these problems. Such trolling!
(Score: 2, Interesting) by Anonymous Coward on Thursday June 13 2019, @04:29PM
My doctor switched to LabCorp for drug testing. Insurance doesn't cover it. I got a $800 bill from LabCorp for the same drug test that used to cost $60 at the previous lab. If you call (their call center sounds like a telemarketer boiler room) and complain they'll give you a 90% discount.
(Score: 4, Interesting) by NotSanguine on Thursday June 13 2019, @06:56PM (2 children)
I'm not defending them, but it wasn't Quest or LabCorp whose systems were breached.
It was a third-party debt collector's systems that were ransacked. Why does that matter? There are a several reasons:
1. Debt collectors generally buy outstanding "debts" (quotes because sometimes it's not really money that's owed, the "debtors" are just being harassed) for pennies on the dollar. As such, they have no relationship with the folks being pursued and little motivation to protect such data.
2. While (in the US at least) health care providers and insurers are liable to both civil and criminal action (under HIPAA [wikipedia.org]) for data breaches, third parties such as AMCA [amcaonline.com] are not.
3. Given points (1) and (2), companies like LabCorp and Quest can claim that they bear no responsibility for such issues, despite the fact that the "collections" agency [krebsonsecurity.com] involved "...also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed." Since they knew (or should have known) the unethical history of this company, they increase their scumbag score significantly.
As such, no one has clean hands here. But just heaping scorn on Quest and LabCorp isn't enough, IMHO. Special venom should be reserved for AMCA and the lack of effective regulation around "debt" collections.
Don't give AMCA a pass here, they were the proximate cause of *multiple* data breaches and are even bigger (if that's possible) scumbags than Quest or LabCorp.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by digitalaudiorock on Thursday June 13 2019, @10:15PM (1 child)
Backing up from this 1000 miles, I tend to reserve most all my venom for all those managing to brainwash the American public into believing that a single payer system isn't clearly the way to go. That is a sane system where there is no fucking "debt" to "collect".
(Score: 3, Interesting) by NotSanguine on Thursday June 13 2019, @10:25PM
I couldn't agree more. Well, I guess if I took some molly [wikipedia.org] it might increase my levels of empathy and then I could. But in the absence of chemical enhancement, I'll do what I can.
That said, I was struck by all the hate on Quest and LabCorp in this discussion and wanted to throw some light on the culprit *in this case*. Note that I'm not letting anyone off the hook, just pointing out something that had been ignored in the comments.
Because as much as you and I (and many others [kff.org]) would like to see single-payer, that's not what we have now.
No, no, you're not thinking; you're just being logical. --Niels Bohr