Medical Data Breach Hits 20 Million: What to Do Now

Another 7.7 million medical patients may have been affected by the American Medical Collections Agency (AMCA) data breach revealed earlier this week, joining the 11.9 million clients of Quest Diagnostics whose personal data is already thought to have been compromised.

Credit: wk1003mike/Shutterstock

(Image credit: wk1003mike/Shutterstock)

North Carolina-based Laboratory Corporation of America Holdings, aka LabCorp, revealed in a Securities and Exchange Commission filing  yesterday (June 4) that "approximately 7.7 million" of its customers may have been affected by "unauthorized activity on AMCA's web payment page."

The compromised personal data "could include first and last name, date of birth, address, phone" and "credit card or bank account information," according to LabCorp's SEC filing. The data does not seem to include Social Security numbers, putting LabCorp customers at somewhat lower risk of identity theft than Quest's customers.

The filing says that AMCA itself thinks only 200,000 LabCorp customers were directly affected. AMCA is notifying them and will offer them "identity protection and credit monitoring services for 24 months."

What to do

If you get a notification that your personal information or credit card information was compromised in the AMCA breach, review your credit-card statements for the past year and immediately contact your card issuer about any discrepancies. The unauthorized access to AMCA's systems apparently began Aug. 1, 2018 and continued until March 30, 2019.

Use annualcreditreport.com to obtain at least one current credit report, look the report over, and contact the parties involved if there's anything unusual. Take up AMCA on its identity-protection-service offer if you receive one.

MORE: What to Do If You're Hit by a Data Breach

Unfortunately, LabCorp still doesn't know who its affected customers are, because "AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them."

Like Quest, LabCorp runs a vast network of clinical-testing labs. LabCorp's website states that it had $11.3 billion in revenue last year and employs nearly 61,000 people worldwide.

The SEC filing states that "LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA," so actual medical records and reports are not part of this breach.

More shoes yet to drop

We suspect that this is not the last time we'll be hearing about the AMCA breach. AMCA specializes in collecting overdue payments from people who haven't paid their medical bills, and the AMCA website says its clients include "hospitals," "physician groups" and "third-party providers" as well as clinical labs. There may be many more companies in the medical industry coming forward to say their clients were impacted.

Futhermore, AMCA is not limited to the medical field. Independent security reporter Brian Krebs noted in a blog posting about the LabCorp disclosure that AMCA also does business as Retrieval Masters Creditors Bureau. He unearthed some Consumer Financial Protection Bureau and Better Business Bureau complaints that indicated Retrieval Masters handles bill collection for the E-Z Pass road-toll collection service in the Northeastern U.S.

A little Googling reveals a lot of complaints online that Retrieval Masters tries to collect money from people who say they don't actually owe any, but also that the company may handle bill collections for restaurants and magazine subscriptions as well.

Best Identity Protection Services

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Best antivirus software
How does antivirus software work
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Latest in News
Dyson Purifier Cool (TP11) in office
Dyson just launched its new high-tech air purifier — right in time for allergy season
Nvidia RTX 5090
RTX 5060 breaks cover in Acer gaming PC — is Nvidia’s next GPU launch imminent?
Samsung Galaxy Tab S10 FE renders
Samsung's Galaxy Tab S10 FE crushes its predecessor with 40% speed boost in leaked benchmark
The camera assembly on the Google Pixel 9
The latest Google Pixel update is breaking fingerprint scanners — but there may be a fix
Robert De Niro as George in "Zero Day" coming to Netflix in February 2025
Netflix confirms new crime thriller movie with Robert De Niro — and it’s already on my watchlist
and image of the Google Chrome logo on a laptop
Google Chrome just updated its rules to stop future Honey scandals: here's what's changed