Personal and medical data of almost 12 million patients may have been compromised in a breach at American Medical Collection Agency (AMCA), a bill collector for medical companies including lab testing center Quest Diagnostics and insurer UnitedHealth Group, Quest Diagnostics said in a press release on Monday.
The billing collection service provider informed Quest Diagnostics and Quest contractor Optum360 about the breach on May 14 but other companies are probably affected as well. An “unauthorized user” was detected on AMCA’s web payment page.
Investigations revealed a third party had gained access to one of their systems and went undetected for eight months. The attacker could freely access information such as credit card numbers, bank accounts, health history and Social Security numbers. Lab tests were not compromised, AMCA said.
The American Medical Collection Agency reached out to law enforcement and is conducting a thorough internal investigation.
“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” an AMCA spokesperson told The Hill.
DataBreaches.net was the first to report that, on February 28, 2019 Gemini Advisory came across the payment data of 200,000 patients for sale on the dark web and informed the American Medical Collection Agency.
“On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces,” Gemini Advisory said for DataBreaches.net. “Almost 15% of these records included additional personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA.”