Just a day after Quest Diagnostics confirmed a data breach, LabCorp has confirmed that nearly 7.7 million customers’ personal information may have been exposed due to a data breach from third-party collections firm American Medical Collection Agency (AMCA). According to a U.S. Securities and Exchange CommissionOpens a New Window. (SEC) filing, unauthorized activity on AMCA’s web payment page occurred between August 1, 2018, and March 30, 2019.
The exposed data could include first and last name, date of birth, address, phone, date of service, provider, balance information, credit card or bank account information. LabCorp confirmed that no ordered test, laboratory results, or diagnostic information was provided to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.
AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months, the SEC document stated.
LabCorp is working closely with AMCA to obtain more information and to take additional steps as may be appropriate once more is known about the AMCA Incident.
The Impact of Companies Passing Personal Data to Third Parties
“This is a third party losing data belonging to LabCorp’s customers, and as such, it shines a light on the risks that arise when companies pass personal data on to other companies fairly freely. Of course, as more organizations have access to your data, the greater the chance there is for it to become leaked – amplifying risk. This signifies the complexity of the way that companies use your data, with many players responsible for data privacy,” said Nicko van Someren, Chief Technology Officer at Absolute, a provider of endpoint security.
“According to Gartner, global spending on information security is predicted to exceed $124 billion in 2019, yet we’re still witnessing breaches like this one confirmed by LabCorp – further proving that complexity is a clear and present rival of cybersecurity. Most organizations have risk profiles and commitments with their vendors, especially those handling PHI as a third-party. But, when you multiply the number of connections, data flows, EDIs, and other exchanges, there is bound to be something that was neglected. In this case, we know that visibility is key, but then what? You’ll probably find a graveyard of broken, disabled, and failing agents and controls. So how does one stay resilient when the technology cannot withstand the slightest perturbation on the device? By persisting the critical controls necessary to deliver a resilient environment. We must realize that resilience is our most critical defense in the face of changing threats, ever-present vulnerabilities, and a sprawling attack surface,” Someren added.