LabCorp said about 7.7 million customers’ personal information may have been compromised due to a data breach at a billings collections firm — a day after competing lab testing company Quest Diagnostics also announced nearly 12 million patients were potentially affected by a similar security incident.
LabCorp said Tuesday that third-party collections firm American Medical Collection Agency (AMCA) discovered “unauthorized activity” on its web payment page that occurred between August 2018 and March 30, 2019, according to a U.S. Securities and Exchange Commission (SEC) filing the same day.
“AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information,” the SEC document stated. “AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance).”
LabCorp said it did not provide AMCA with patients’ lab results and Social Security numbers and insurance information was not stored in the firm’s system.
The billings collections company is in the process of notifying about 200,000 LabCorp patients whose credit card or bank information may have been affected by the breach. A list of people whose information was compromised and more details about the incident have not been provided, the SEC document stated.
“AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months,” according to the filing.
“LabCorp is working closely with AMCA to obtain more information and to take additional steps as may be appropriate once more is known about the AMCA Incident,” it added.
A statement released on behalf of AMCA to KrebsonSecurity, which first reported the incident, said the agency took down its web payments page when it received information about a possible breach.
“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security,” the statement read. “We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”
The report comes a day after Quest Diagnostics said the personal information, including “certain financial data, Social Security numbers, and medical information,” of about 11.9 million patients was potentially compromised due to the AMCA data breach.
Quest Diagnostics said it was looking into the issue and hasn’t been able to verify AMCA’s information. The company added it was still waiting for a complete report of the data security incident that identified which patients were affected, but has since suspended work with the collection agency.