Security Experts:

AMCA Breach Hits 12 Million Quest Diagnostics Patients

A data breach at billing collections service provider American Medical Collection Agency (AMCA) could impact many of the company’s customers. One victim is medical testing firm Quest Diagnostics and roughly 12 million of its patients.

AMCA has yet make public any details about the breach, but in a filing with the U.S. Securities and Exchange Commission (SEC) Quest revealed that hackers had access to AMCA systems between August 1, 2018 and March 30, 2019.

AMCA provides services to Optum360, a revenue cycle management provider contracted by Quest. Optum360 and Quest were informed by AMCA about the security incident on May 14.

According to the available information, attackers compromised AMCA’s payment portal and they gained access to financial, medical and other personal information, including social security numbers, credit card numbers and bank account information. However, in a statement sent to SecurityWeek, Quest said laboratory test results were not exposed.

“AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA,” Quest stated. “Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.”

SecurityWeek has reached out to AMCA for comment, but the company has yet to respond. On its website, the company describes itself as “the leading recovery agency for patient collections.” It claims to manage over $1 billion in annual receivables for a diverse client base, including labs, hospitals, physician groups, billing services and medical providers.

According to DataBreaches.net, which broke the news about a breach at AMCA on May 10, researchers at Gemini Advisory, which monitors the dark web for compromised credentials and financial information, came across payment card information for roughly 200,000 individuals. An analysis showed that the data likely came from AMCA. AMCA did not respond to Gemini Advisory, but the company suspended its payment portal after the cybersecurity firm notified federal law enforcement.

“Once again, a breach that results from third party vulnerabilities,” Colin Bastable, CEO of Lucy Security, told SecurityWeek. “Outsourcing billing to third party vendors is a great way to extract efficiencies by reducing core costs, but it exposes the business and its customers to uncontrollable security risks. The fragmented healthcare industry, like the fragmented home finance and buying industry, is vulnerable because there are so many moving parts, so many areas where bad actors have multiple points of entry to exploit inadequate security.”

UPDATE. AMCA has provided SecurityWeek the following statement:

"We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information."

Related: Lab Testing Firm Eurofins Scientific Hit by Ransomware

Related: Managed Healthcare Provider Humana Discloses Data Breach

Related: Healthcare Firm EmCare Says 60,000 Employees and Patients Exposed in Breach

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.