12 Million Medical Bills Stolen by Data Thieves: What to Do
Nearly 12 million medical bills containing Social Security numbers and credit-card numbers were stolen by data thieves. Here's what to do.
Nearly 12 million U.S. residents may have had their credit cards, Social Security numbers compromised, thanks to a data breach at a medical blll-collection agency. It's likely that names, addresses and dates of birth were also part of the breach.
The breach was officially disclosed in a Securities and Exchange Commission filing today (June 3) by New Jersey-based Quest Diagnostics, one of the largest clinical lab-testing providers in the world.
But Quest didn't suffer the breach itself. Rather, the breached company was American Medical Collection Agency (AMCA), a bill collector that had been subcontracted by Optum360, a company that handles Quest's billing. AMCA notified Quest of the breach on May 14, according to the SEC filing, and stated that the attackers had access to AMCA's systems from Aug. 1, 2018 to March 30, 2019 -- eight months in total.
"AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA's affected system was approximately 11.9 million people," Quest said in the SEC filing. "The information on AMCA's affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)."
The results of the lab tests themselves were not part of the compromised data.
What to do
If you've had any kind of medical procedure in the past year or two that involved any kind of lab test -- which includes routine physicals and drug tests -- it's likely that Quest Diagnostics handled at least some of the lab work.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
You should check your credit card statements for any discrepancies and use annualcreditreport.com to get a free credit report from at least one of the three big credit-reporting agencies (Equifax, Experian and TransUnion).
If and when you do get notified that your personal data was part of this breach, you should consider signing up with an identity-protection service if such services are not offered to you by one of the affected companies.
MORE: What to Do After a Data Breach: A Step-by-Step Guide
Unfortunately, we do not have information yet about who exactly is affected, and we do not believe that any of the victims of this compromise have yet been notified. Quest is likely not AMCA's only client, and we expect the numbers of affected individuals to rise above 12 million as more companies report that their data was also part of the breach.
"Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law," Quest Diagnostics said in a statement on its website, adding that it had suspended doing business with AMCA.
Not everyone who's had a lab test is part of this
On the bright side, even if Quest handled your lab tests, you're probably not affected. Quest's own website boasts that it "touches the lives of 30 percent of American adults each year," which comes to about 75 million adults, plus an unknown number of persons under 18. You can presume that only a fraction of Quest's full patient list was passed on to AMCA, which seems to specialize in collecting payment from patients who haven't paid on time.
But because AMCA needs to be able to reach those late payers, we can assume that the compromised information probably also contains full names, mailing addresses and contact information such as telephone numbers and email addresses. DataBreaches.net said the data might also include dates of birth, according to information it received when it first got wind of the breach in mid-May.
Needless to say, this would be very valuable and dangerous information to possess, and if an identity thief or other type of online crook got his or her hands on it, they'd be pretty happy.
Why this could be devastating to those affected
A name, address, date of birth and Social Security number are all it takes to completely steal a U.S. resident's identity. Combine those with telephone numbers, email addresses, bank-account numbers and credit-card numbers, and you've got a perfect story of opportunity for crooks, phishers and scammers.
Bad guys could contact affected people pretending to be the IRS, banks or even the Social Security Administration and present a convincing case that they scammers actually represented the purported organization. The credit card numbers are the least risky part of this brew, since U.S. card issuers quickly respond to suspicious activity, and card holders are rarely liable for stolen funds.
Best Identity Protection Services
Best Overall
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Best Tools
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.