This week, Quest Diagnostics and Laboratory Corp. of America released securities filings disclosing that data on 11.9 million Quest customers and 7.7 million LabCorp patients might have been affected when an "unauthorized user" gained access to American Medical Collection Agency's (AMCA) system.
Quest Diagnostics on Monday disclosed that an "unauthorized user" had access to American Medical Collection Agency's (AMCA) system and might have accessed data on 11.9 million Quest patients.
Quest in a statement said AMCA on May 14 alerted Quest and Optum360, one of Quest's contractors that uses AMCA's billing collection services, that an unauthorized user had access to AMCA's systems between Aug. 1, 2018, and March 30, 2019. According to Quest's securities filing, the data stored by AMCA included financial information—such as credit card numbers and bank account information—medical information, and other personal information, such as Social Security Numbers. The data did not include lab results.
Quest said AMCA has not provided "detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected." However, Quest said it is working to verify the information AMCA has provided.
Quest also said it has stopped sending collections to AMCA and is complying with all notification regulations. "We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more," Quest said.
Quest added that it will work with AMCA, Optum360, and third-party security experts to conduct an investigation of the breach. Quest said patients with questions about the breach can contact the company's customer service hotline at 866-MY-QUEST.
AMCA said it has "hired a third-party external forensics firm to investigate any potential security breach in [its] systems, migrated [its] web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase [its] systems' security."
A spokesperson for UnitedHealth Group, Optum360's parent company, said Optum360's systems were not affected by the security incident. UnitedHealth Group said it is working with Quest and AMCA to make sure appropriate steps are taken to address the breach.
The Daily Briefing is published by Advisory Board, a division of Optum, which is a wholly owned subsidiary of UnitedHealth Group.
LabCorp in its securities filing said the addresses, balance information, dates of birth, dates of service, health care providers, names, and phone numbers of about 7.7 million of its patients also might have been exposed in the breach. "AMCA's affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)," the filing stated.
LabCorp, which is one of the world's leading commercial laboratory testing companies, said it does not send AMCA any diagnostic information or laboratory results, so such information was not at risk. LabCorp also noted that AMCA does not store insurance identification information or social security numbers for LabCorp patients.
LabCorp said it has stopped sending collection requests to AMCA and has suspended the collection firm's work on pending requests that involved LabCorp patients.
LabCorp's securities filing stated that AMCA is sending notices to about 200,000 consumers whose bank account or credit card information might have been exposed in the breach, and offering affected consumers credit monitoring services and identity protections services for two years (Thomas, Wall Street Journal, 6/4; Tyko, USA Today, 6/4; NBC 4 New York, 6/4; Uchill, Axios, 6/3; Truong, MedCity News, 6/3; Chin, Wall Street Journal, 6/3; Rowland, Washington Post, 6/3).
Executives need to play a crucial role in cybersecurity strategy. While the chief information officer (CIO) and chief information security officer (CISO) will be critical partners, they can't be left to lead the charge all on their own. For example:
Want to learn more about what you should be doing in your role? Check out our cybersecurity cheat sheet series which outline what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.
Create your free account to access 2 resources each month, including the latest research and webinars.
You have 2 free members-only resources remaining this month remaining this month.
Never miss out on the latest innovative health care content tailored to you.