LabCorp data breach exposes information of 7.7 million consumers

A day after Quest Diagnostics announced 12 million patients were affected by a data breach, another medical testing company says its patients’ data was also compromised.

In a filing with the U.S. Securities and Exchange Commission on Tuesday, LabCorp. said “approximately 7.7 million consumers” are affected by a breach at third-party collections firm American Medical Collection Agency, also known as AMCA.

According to the SEC document, the breach happened between Aug. 1, 2018, and March 30, 2019. Information that could have been exposed includes names, addresses, dates of birth and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the SEC filing said. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA.”

AMCA is the same collections firm who worked with Quest.

The LapCorp filing says “Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

“LabCorp takes data security very seriously, including the security of data handled by vendors,” the company said in the SEC filing. “AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months.”

The news was first reported by the KrebsOnSecurity security news site.

A statement sent to USA TODAY Tuesday on behalf of AMCA said the company is “investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system.”

According to the statement, AMCA took down its web payments page after “receiving information from a security compliance firm that works with credit card companies of a possible security compromise” and conducting an internal review.

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security,” the statement said. “We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”
Article Source: USA Today