Posts

This is an emerging data breach incident – this information will be updated as ITRC receives more information. Last update: 06/07/19 10:30 am

Quest Diagnostics is one of the United States’ premier providers of medical testing. They are notifying customers who may be at risk because a third party vendor, American Medical Collection Agency (AMCA), was breached. AMCA reported to Quest that unauthorized users gained access to internal systems. Around 11.9 million Quest patients have potentially been affected, although the company is working to verify that number and patient risk. 200,000 payment cards been previouly found for sale on a well-known dark web market (by Gemini Advisory) and GA linked the cards to AMCA. 15% of the records included additional PII such as: DOB, SSN, and physical addresses. 

The information exposed includes Social Security numbers, financial information and medical information. Quest reported that the information breached did not include laboratory test results. 

We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

Quest also noted that since being notified of the breach, the company has stopped new requests to AMCA and are working to notify patients affected in accordance with the law. AMCA is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card data or bank account information may have been accessed. These individuals have been offered 2 years of credit monitoring and identity theft protection services. 

AMCA provides billing collections services to a company called Optum360, whom is a contractor with Quest Diagnostics. Quest Diagnostics is the only company to make a public notification of being affected by the breach, but there is a chance other companies who work with AMCA could also be associated. The trend of third-party breaches is on the rise as hackers target large databases of vendors who work with sensitive information.

Breach Clarity – the new tool developed to help consumers make sense of their risk when it comes to data breach – can help victims of this breach understand their risk of additional exposure. The tool updates its risk score as new, more detailed information is made publicly available. Breach Clarity will guide consumers on their best course of action given the current information – please check it regularly to understand the updated risk assessment and minimization plans.

While patients are waiting to be notified they were affected, those who think they might be victims can start taking steps to minimize their risk. Financial identity theft and medical identity theft could both be a cause of the breach. You can find resources for financial and medical identity theft in our knowledge center. If you have additional questions regarding data breach, our expert advisors are available to help. Call us toll-free at 888.400.5530 or LiveChat with us. 

For Media Inquiries

About the Identity Theft Resource Center®

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud, and privacy issues. Through public and private support, ITRC provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit: https://www.idtheftcenter.org

Contact: Charity Lacey, VP of Communications

Email: media@idtheftcenter.org

More media resources here


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: First American Financial Breach Exposes Millions of Complete Identities

 

Hackers are targeting vendors of companies for third-party data breach efforts. This trend rose in 2018, with over 4 million records exposed do to criminal efforts focused on vendor security.

Data breaches often occur at the hand, or keyboards, of hackers. Criminals can infiltrate insecure systems and steal personal data owned or stored by a company. The size of company and amount of personal identifying information (PII) they store factor in to the level of risk for consumers presented by the breach. One of the more newsworthy data breaches of 2018 was Marriot International, which exposed hundreds of millions of guest information including passport numbers. Hackers targeted Marriot because of the potential payoff of lots of lucrative PII, versus targeting many companies that might result in more – but smaller – payoffs. Now hackers are reevaluating their strategy and getting smarter about where they exert their efforts.

This new strategy comes in the form of targeting vendors for third-party data breach. Instead of going after one large company’s data, they go after a vendor who works with multiple large companies and collects even more PII. Third-party vendors – like email servers, payment platforms and web plugins – often work with a multitude of companies ranging in purpose or product offered. Therefore by compromising a third-party’s security measures, a hacker gains access to even more PII from a wide variety of consumers.

This attack on third-parties and subcontractors became a trend in 2018. Of the third-party data breaches that were reported in 2018, 4,823,234 records were exposed four times more compared to 2017 third-party breaches. In 2019, eSentire (a cybersecurity firm) commissioned a study to determine how concerned companies are regarding vendor risk given the trend in data breach.

According to the study, 81 percent of respondents said they had an effective third-party risk policy and 74 percent are confident in their vendors’ protections. However, only 35 percent said managing vendor risk was a priority and 20 percent said they trust vendors to uphold privacy standards blindly. The reality is of the respondents surveyed, 44 percent of them (or their employer) had experienced a data breach involving a vendor in the last 12 months. To make matters worse, only 15 percent were notified of the breach by the responsible vendor.

There is a clear disconnect between the effort put forth into managing vendor security and the amount of trust companies put in their vendors. Companies need to start evaluating vendor relationships and security practices more thoroughly to ensure the safety of consumers. On the opposite end, consumers need to remember that the safety of their data ultimately resides with them and take the utmost precautions with their personal information.

If you are a victim of data breach, or have concerns over a recent data breach and your identity, Breach Clarity can help you identify your potential risk and suggest preventative steps. You can also contact ITRC for free assistance regarding your case. Speak with an expert advisor over the phone (888.400.5530) or through LiveChat.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.