Fortune 500 Company Faces Multiple Class Action Suits for Massive Data Breach Affecting Nearly 20M

Fortune 500 company Quest Diagnostics, Laboratory Corporation of America Holdings (LabCorp), and third-party billing provider American Medical Collection Agency (AMCA) are facing multiple class-action lawsuits after cybercriminals breached the web payment page of AMCA over an eight-month period. The attack reportedly exposed the personally identifiable information (PII) — such as medical information, credit card numbers, bank account information, and Social Security Numbers — of nearly 20 million patients.

The lawsuits have been filed in multiple courts located in New York, New Jersey, and California, among others, as well as with the United States Judicial Panel on Multidistrict Litigation (JPML).  

According to Quest’s SEC report filed on June 3, 2019, AMCA notified them and their revenue cycle management provider Optum360, of the breach on May 14, 2019. Quest stated that they have suspended sending collection requests to AMCA, notified all affected health plans, and is now seeking the assistance of security experts to better understand the data breach.

[READ: Securing Connected Hospitals: A research on exposed medical systems and supply chain risks]

The same Form 8-K that the company filed states that the breach affected an estimated 11.9 million Quest patients, but the company assures that the breach did not expose any laboratory test results, as Quest does not forward such information to AMCA. Quest is considered to be the largest lab service provider in the U.S., annually providing service to one in three adult Americans as well as half the doctors and hospitals in the whole country.

Meanwhile, in the Form 8-K submitted to the SEC on June 4, 2019, LabCorp states that an estimated 7.7 million patients they referred to AMCA have had their data exposed because of the leak. The report details that LabCorp has provided the details of millions of patients to AMCA, which happened to have been stored in a compromised system.  Patients’ full names, birth dates, addresses, phone numbers, service dates, healthcare providers, and even their balance information and credit card or bank account information, could have been accessed because of the data breach. The company also ceased sending new collection requests to AMCA, and halted them from processing pending collection requests.

LabCorp also divulged that they will reach out to approximately 200,000 of their affected clients to give more comprehensive information on the breach and to offer identity protection and credit monitoring services for a two-year period.

How can companies prevent or mitigate data breaches?

 The healthcare industry is a logical target for cybercriminals who want to get their hands on a vast amount of sensitive information. Trend Micro has previously reported that the healthcare industry accounts for 26.9% of all data breaches over the past decade. One of the class-action lawsuits filed against Quest and AMCA asserts that there is a likely possibility that the compromised patient information “will or has been disclosed already on the dark web.”  We have observed that PIIs and credit card numbers are readily available in the cybercriminal underground in bulk amounts, and are being sold at cheaper prices, making it easier and more affordable for cybercriminals to take advantage of data breach victims.

Enterprises can suffer from severe client backlash due to data breaches. Because credit card or bank account information have been exposed, clients will have to spend their time cancelling compromised cards, opening new accounts, and reversing fraudulent purchases from their cards. Some of them might even suffer from identity theft. Because of these, companies risk losing financial resources due to lawsuits and regulatory compliance fines.

The data breach in this particular case was caused by a supply chain attack on AMCA’s web payment page, however, data breaches can also come from misconfigurations, patch lags, and unsecure software or system components.

Organizations can also implement these best practices to securing data:

  • Identify the weak spots in the organization’s security infrastructure — including the supply chain — and implement intrusion-preventive measures accordingly.
  • Educate all company employees on security policies and contingency plans on how to identify attacks and trends in social engineering, and what to do when it happens.
  • Make sure that vendors comply with the company’s data privacy safeguards and quality-control mechanisms.  
  • Modify and verify privacy configuration settings. Limit those who have access to all databases to create an extra layer of protection to secure sensitive information.
  • Practice network segmentation and data categorization.

Aside from these tips, an organization needs to take a proactive approach to bridging security gaps and responding to data breaches — managed detection and response (MDR) can fill these gaps. MDR provides organizations with security capabilities that can help them anticipate and thwart known (or unknown) threats and, in the event of a compromise, remediate the incident faster.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.