On June 4, LabCorp, which describes itself as “The World’s Leading Health Care Diagnostics Company,” informed the Securities and Exchange Commission in a Form 8-K that Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (AMCA) – an external collection agency that LabCorp and other healthcare companies use – had notified it “about unauthorized activity on AMCA’s web payment page (the AMCA Incident). According to AMCA, this activity occurred between August 1, 2018, and March 30, 2019.”
LabCorp stated that it
has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance).
LabCorp also stated that it “provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.” According to LabCorp, AMCA has informed it that AMCA “is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed.”
LabCorp further reported that AMCA had informed it
that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months. LabCorp is working closely with AMCA to obtain more information and to take additional steps as may be appropriate once more is known about the AMCA Incident.
In addition, LabCorp stated that AMCA “has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. LabCorp takes data security very seriously, including the security of data handled by vendors.”
Note: LabCorp and another health-care diagnostics company, Quest Diagnostics – which informed the SEC on June 3 that the AMCA breach had affected 11.9 million of Quest’s customers – demonstrate yet again the importance of companies’ regularly monitoring the data-security practices and measures of their third-party providers. The reports that the AMCA breach lasted for nine months in 2018-2019 indicate the importance of providers continuously maintaining robust data-security measures, and of companies’ frequently conferring with their providers about the soundness of the providers’ measures.