Incident Of The Week: Millions Hit By Quest, LabCorp Data Breach

Medical records are the jackpot for identity thieves and malicious actors because of the wealth of information they contain. Even if you have become desensitized to the cadence of breaches, a frightening reality that speaks to how difficult it is to truly secure your data, the recent breaches of Quest Diagnostics and competitor Labcorp should get your attention because of the implications for those involved.

Both companies point to the exploitation of the American Medical Collection Agency (AMCA) as the threat vector for the attacks. Quest claims up to 11.9 million people's data may have been stolen, while LabCorp cites a slightly lower 7.7 million bringing the total to nearly 20 million consumers at risk. The documents exposed could contain patient's social security and insurance information, two valuable data points for those seeking to create false identities, which makes this a valuable haul for hackers who might resell the information on the dark web.

AMCA Fails In Both Cases

In compliance new laws that require companies to take specific steps to notify customers in the event of a breach, Quest Diagnostics filed the discovery of the breach with the Securities and Exchange Commission in June 3rd. LabCorp filed the very next day on June 4th.

The source of the breach appears to be a "man in the middle" style attack carried out using the AMCA's billing webpage. A criminal actor was able to intercept communications from end-users to the AMCA page and extract user's personal data. Since both companies bill using AMCA, customers of each lab work provider are at risk of having their credit card information defrauded. While each of the two has released statements in reaction to these incidents, the language differs slightly between them.

See Related: “Healthcare CISO Explores A Recent Outbreak Of Breaches”

Web payment through the AMCA has been halted by Quest. The testing company has stated that they have not yet verified the accuracy of the data, but that the affected transactions appear to range from August 1, 2018 to May 31, 2019. A spokesperson for the AMCA released a statement through crisis communications specialists Brunswick Group stating that the AMCA is investigating the breach to learn more, and that law enforcement has been informed.

In a more explicit statement than what has been shared by Quest, LabCorp specified that lab results, social security numbers and insurance information was not stored in the companies systems. They released a detailed list of potentially shared information, which includes "first and last name, date of birth, address, phone, date of service, provider, and balance information."

LabCorp also cited that the AMCA will be proactively notifying about 200,000 people whose credit card or bank information may have been captured in the breach, but that specific information about who these people are was not being shared. For those affected, the AMCA will be offering 24 months of identity theft protection and credit monitoring in hopes of stopping any attempts to use this information in a fraudulent way.

Because AMCA only handles billing information, specifically through contractor Optum360 in the case of Quest, the patient's actual medical information was not exposed as a result of the Quest breach. So if you're a Quest user, maybe it comes as some consolation that your private medical info was spared.

At Least Quest's Second Breach

Because so much criminal activity online goes unnoticed, it is impossible to say exactly how frequently this sort of thing happens however we do know that Quest suffered a smaller breach in 2016. In that instance, Quest's lab information was compromised by a direct attack. Quest released a statement at that time claiming that they believed the potential harm to patients was low, due to the nature of information accessed and small number of patients exposed. However, the current situation is much more serious.

Quest is not alone is suffering from malicious activities by hackers. The credit card skimming scheme used in this most recent attack has been connected to the Magecart hacking group and has affected vendors like Newegg, British Airways and Sotheby's.

See Related: “Magecart Web-Based Supply Chain Attacks Increasing”

Be Your Own Best Security

With no clear end to these types of attacks in sight, it is a scary time to be a consumer. Make sure to always check your credit card statement for signs of illegitimate activity and bank with a reputable provider that offers fraud alerts and protection. Many banks do offer full reimbursement for fraud now, but if you do not know when you are affected by a breach it can be easy to let things slip through the cracks.

Read Last Week's Incident: Checkers Restaurants Details Data Breach