A security breach at a billing company has resulted in nearly 20 million patients of LabCorp and Quest Diagnostics getting their information stolen from them. The breach was first disclosed Monday by Quest Diagnostics, which reported in a Securities and Exchange Commission filing that a breach at third-party collections vendor American Medical Collection Agency (AMCA) compromised 11.9 million customers. Today, LabCorp indicated that 7.7 million of its patients were also affected by the AMCA breach.
The attack targeted at AMCA's website is just the latest in a series of breaches that have managed to skim personal information from major companies. Similar attacks hit British Airways, Ticketmaster and Newegg late last year.
Source: https://www.engadget.com/2019/06/05/quest-diagnostics-labcorp-amca-data-breach/
Quest Diagnostics Incorporated, a Fortune 500 diagnostic services provider, says that approximately 12 million of its clients may have been impacted by a data breach reported by one of its billing providers.
The company reported to the U.S. Securities and Exchange Commission (SEC) that it received a notification from its billing collection provider American Medical Collection Agency (AMCA) that their web payment page was breached.
According to its website, AMCA is "managing over $1BN in annual receivables for a diverse client base" and it is the "leading recovery agency for patient collection," servicing "laboratories, hospitals, physician groups, billing services, and medical providers all across the country."
As detailed in the SEC notification from Quest Diagnostics, AMCA informed the company that "between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself."
Quest Diagnostics states that it took the following measures after being informed of the incident:
(Score: 1, Informative) by Anonymous Coward on Thursday June 13, @01:42PM (1 child)
We recently had this story [soylentnews.org] about the Quest Diagnostics breach.
(Score: 2) by takyon on Thursday June 13, @01:44PM
added
(Score: 2) by SemperOSS on Thursday June 13, @02:12PM
As a software architect who mostly work directly for public services and for their suppliers, I find it very difficult to get developers to take security seriously beyond token measures to cover the bare minimum. Trying to get people higher up in the hierarchy to take action is probably even more difficult as their bonus targets are cost and delivery time, both of which could be affected negatively by doing security right — at least in their books. As long as that is the case and as long as specific security measures are not baked in to the tenders and contracts, this is not going to change.
