Posts

This is an emerging data breach incident – this information will be updated as ITRC receives more information. Last update: 06/07/19 10:30 am

Quest Diagnostics is one of the United States’ premier providers of medical testing. They are notifying customers who may be at risk because a third party vendor, American Medical Collection Agency (AMCA), was breached. AMCA reported to Quest that unauthorized users gained access to internal systems. Around 11.9 million Quest patients have potentially been affected, although the company is working to verify that number and patient risk. 200,000 payment cards been previouly found for sale on a well-known dark web market (by Gemini Advisory) and GA linked the cards to AMCA. 15% of the records included additional PII such as: DOB, SSN, and physical addresses. 

The information exposed includes Social Security numbers, financial information and medical information. Quest reported that the information breached did not include laboratory test results. 

We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

Quest also noted that since being notified of the breach, the company has stopped new requests to AMCA and are working to notify patients affected in accordance with the law. AMCA is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card data or bank account information may have been accessed. These individuals have been offered 2 years of credit monitoring and identity theft protection services. 

AMCA provides billing collections services to a company called Optum360, whom is a contractor with Quest Diagnostics. Quest Diagnostics is the only company to make a public notification of being affected by the breach, but there is a chance other companies who work with AMCA could also be associated. The trend of third-party breaches is on the rise as hackers target large databases of vendors who work with sensitive information.

Breach Clarity – the new tool developed to help consumers make sense of their risk when it comes to data breach – can help victims of this breach understand their risk of additional exposure. The tool updates its risk score as new, more detailed information is made publicly available. Breach Clarity will guide consumers on their best course of action given the current information – please check it regularly to understand the updated risk assessment and minimization plans.

While patients are waiting to be notified they were affected, those who think they might be victims can start taking steps to minimize their risk. Financial identity theft and medical identity theft could both be a cause of the breach. You can find resources for financial and medical identity theft in our knowledge center. If you have additional questions regarding data breach, our expert advisors are available to help. Call us toll-free at 888.400.5530 or LiveChat with us. 

For Media Inquiries

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: https://www.idtheftcenter.org

Contact: Charity Lacey, VP of Communications

Email: media@idtheftcenter.org

More media resources here


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: First American Financial Breach Exposes Millions of Complete Identities

 

In yet another example of technology outpacing its users, an unsecured database of First American Financial has exposed hundreds of millions of records, including complete identities—names, account numbers, Social Security numbers, and much more—of American consumers. The information was compiled in a database that was left unsecured on a web-based server, meaning anyone with internet access could have potentially stumbled across it.

The ITRC currently tracks seven categories of data loss methods and is categorizing the First American Financial breach under “accidental web exposure.” This kind of data exposure is becoming all-too-common. Web servers like this one are intended to let authorized individuals access documents online. All they need is the URL, or web address, for a single document; that URL is usually shared with the intended recipient by the owner, in this case, First American Financial. But if the web server isn’t password protected or doesn’t require authentication, all you’d have to do to see any other document in the database is change a digit in the URL. That single digit would provide you access to an entirely different customer’s personal information, history, bank account numbers, SSN, tax and mortgage records, and more.

Even worse, in these kinds of breaches, there’s no way of knowing if anyone accessed them or not. In the case of First American Financial, a real estate professional discovered this flaw by mistake. When he reported it to the company but they had no response, he reported the security incident to Krebs on Security, who then confirmed it.

First American Financial is one of the country’s largest title insurance providers—meaning they’ve handled hundreds of millions of consumer records.  Fortunately, a new tool can help consumers make sense of a data breach; Breach Clarity helps people who are affected by the breach understand their options and take corrective action.  If any of the estimated 885 million records were actually accessed by a malicious individual and you think you may be a victim, securing your credit report with a freeze and monitoring your accounts are some of the few useful steps you can take. For its part, the company has taken steps to close off further access to these records, but isn’t offering any further information until their own internal review is completed.

The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and actionable steps for consumers. 


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: ITRC Advisor Saves Woman from Lottery Scam and Losing $2,500