Just a few days after Quest Diagnostics acknowledged that a billings collections vendor it works with suffered a data breach on its web payment system that may have exposed the information of nearly 12 million patients, another medical laboratory provider, LabCorp, said that that 7.7 million of its patients were also affected by the same breach.
The third-party company, the Elmsford, N.Y.-based American Medical Collection Agency (AMCA), disclosed to LabCorp that the unauthorized activity occurred between August 1, 2018, and March 30, 2019, according to the lab provider’s SEC filing. These were the same dates given in Quest’s SEC filing earlier this week.
According to the filing, “LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp, [which] could include first and last name, date of birth, address, phone, date of service, provider, and balance information.”
The filing further noted that AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA, for those who sought to pay their balance.
LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA, and the billings collections vendor has advised LabCorp that Social Security numbers and insurance identification information are not stored or maintained for LabCorp consumers.
AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. However, AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them, according to the filing. AMCA will be offering those 200,000 patients identity protection and credit monitoring services for 24 months.
In a June 3 statement posted to Quest’s website, its officials said, “AMCA has not yet provided Quest or Optum360 [who AMCA contracts with for payment services] detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.”