7.7 Million LabCorp Customers Were Potentially Hit by a Massive Data Breach
Quite a few people were worried when Laboratory Corporation of America Holdings (better known as LabCorp) announced that it had suffered a cyberattack on July 16, 2018. This is not terribly surprising. After all, we're talking about a worldwide organization that performs a variety of clinical tests in dozens of countries, which means that it's responsible for the health-related information of millions of patients.
A couple of days later, those patients breathed a sigh of relief when it became apparent that their data had not been exposed. It turned out that the laboratory chain had been targeted by ransomware operators who were not interested in stealing any information. Quite a few systems were affected, but LabCorp eventually managed to rebuild its infrastructure, and everything went back to normal. On Tuesday, LabCorp announced that its name has been involved in another cyberattack, and unfortunately, this time, people's data was compromised.
LabCorp customers hit by a data breach that didn't happen at LabCorp
The news broke when LabCorp filed an 8-K form with the US Securities and Exchange Commission which said that a medical collection company known as American Medical Collection Agency (AMCA) had been hit by hackers. LabCorp, like many other organizations, had contracted AMCA to collect some of the money that is owed to it and had given the agency information that belonged to LabCorp customers. Unfortunately, around August 1, 2018, hackers managed to compromise AMCA's payment page, and they started stealing people's data. On March 30, 2019, the system was finally secured, and the attack was brought to an end.
What was the nature of the information that got stolen?
Quite a lot of details were leaked during the attack. LabCorp admitted that the data included names, addresses, dates of birth, phone numbers, and information on the amount owed. Thankfully, LabCorp has not shared any medical information with AMCA, and the agency itself insists that it has no Social Security Numbers or insurance identification information on LabCorp patients. Unfortunately, AMCA has admitted that some payment details "may have been accessed".
How many LabCorp clients were affected?
LabCorp says that it has referred around 7.7 million customers to AMCA, but the filing isn't very clear on the exact number of people who have had some or all of their data exposed. AMCA is in the process of sending notices to around 200 thousand LabCorp customers who are about to receive identity theft protection and credit monitoring services for the next 24 months, but nobody seems to be sure whether these are all the LabCorp patients that got hit by the AMCA data breach. One thing that is certain is that the people who used LabCorp's services weren't the only ones affected by the AMCA data breach.
LabCorp might be just the tip of the iceberg
As we mentioned already, LabCorp is just one of AMCA's customers, which means that LabCorp's users are just a portion of all the people affected by the breach. By the looks of things, it's not a very big portion, either.
On June 3, just a day before LabCorp filed its 8-K filing, Quest Diagnostic, another medical testing company, announced that thanks to the AMCA breach, very close to 12 million of its patients had had their financial and personal information exposed. The difference, in that case, was that Quest's customers also had their Social Security Numbers and some medical data compromised. Worst of all, for some people, this was not really news.
In late-February, security researchers from Gemini Advisory discovered some stolen records on the dark web, and after analyzing them, they were pretty sure that they had been pilfered from AMCA's systems. The experts tried to get in touch with the collection agency, but they received no response. A couple of months later, DataBreaches.net also reported on the incident, and they too tried to get hold of someone from AMCA, but once again, the victim of what Gemini Advisory describes as the biggest medical breach of 2019 remained silent.
The cat is well and truly out of the bag now, but even so, AMCA is still not very communicative. This is not really the sort of reaction you want to see from a company that has been hit by such a massive data breach.
It's still unknown how many other companies might be affected by the AMCA incident, and it's even more difficult to predict how many people have had their data exposed. It's fair to say that if you have had any business interactions with AMCA between August 2018 and March 2019, however, you might want to keep your eyes peeled for anything suspicious.