Cyber101: Medical Lab Provider Breaches

One of our readers asked, “I saw the news stories about Quest Diagnostics and LabCorp both getting breached. What happened, and should I be worried about it?”

To set the record absolutely straight, neither of those companies actually got breached – technically. Data from both companies that was being held by a billing company was acquired by threat actors directly from that third-party company. The end result doesn’t change very much, but it’s good to make sure we’re following the path of this incident fully.

Let’s take a look at what happened, how far it reaches, and if you should be worried:

Quest Diagnostics and LabCorp are two of the largest providers of medical testing services. Basically, if your doctor, dentist, etc. needs to do a blood test, culture a swab, or perform any other forms of medical testing, they will probably go to one of those two companies to have the actual test done. This makes it easier for medical/dental clinics to offer a full range of services without needing to buy millions of dollars in testing equipment, and overall the system is very beneficial to patients as they don’t need to make separate appointments at multiple locations just to get a checkup.

Additionally, these companies provide testing services to governments and non-medical companies. If you’ve needed a drug screening for work, or particular blood tests for licensing or insurance purposes, these two companies were probably the ones doing the actual testing.

This means that these companies have a huge amount of information about you and your medical status/history – most likely as much as your doctor does due to the nature of the testing they perform. That data is actually safeguarded by Quest and LabCorp, and the threat actors who stole it didn’t obtain it from them directly. Instead, what happened was part of a disturbing trend in attacks that’s becoming more and more common: Third-party or “once-removed” data theft. Here’s how it works:

A large company holds data that one or more threat actors would find highly valuable. That company (let’s call them BigCorp, Inc.) has a full security team and has the data at least fairly well locked down. Threat actors know that it would take too long or be too difficult to get the data from BigCorp directly.

Now, if BigCorp makes the best widgets in the world, they probably don’t also specialize in accounting systems. BigCorp has some accountants on staff, but since accounting isn’t their primary business they outsource some or all of the accounting to other companies. So to manage the books, BigCorp hires SmallCorp – a specialist accounting firm that has experts in widget accounting. SmallCorp is not a big enterprise; they don’t have the budget or the people to implement and manage a complete data security system, but they hold the data that the threat actors want to steal from BigCorp, since SmallCorp needs that data to do the accounting.

The threat actor knows it’s not worth going after BigCorp and all their security measures when the data they want is also available by attacking SmallCorp. As such, the threat actors attack SmallCorp and try to steal the data directly from that company’s systems instead. This “once-removed” attack may not give them everything they want, but if they’re after BigData’s financial information, then going after SmallCorp – BigCorp’s accounting firm – will probably get them what they are looking for.

As an added bonus, SmallCorp may also have financial data for other customers, meaning that the attacker can steal not only BigCorp’s data, but HugeCorp’s, MediumCorp’s, and ForeignCorp’s data at the same time.

In this particular case, a provider of billing and collection services was the target of the attack. Most likely the threat actors wanted the patient billing information of one of the two companies, but were able to get that data from both Lab companies because it was all held by the same third-party billing and collection firm: American Medical Collection Agency.

AMCA disclosed that they believe the data was accessible to the threat actors from August of 2018 through May of 2019 [American Medical Collection Agency — Krebs on Security]( – meaning the attackers were in the AMCA systems for well over half a year. The chances that the disclosures by these two large companies are just the tip of a much larger breach iceberg are quite high, and we should be expecting that additional disclosures will follow as the other customers of AMCA evaluate what might have been taken from their own databases.

In terms of what was taken, there is some confusion and debate. Both Quest and LabCorp state that patient billing information – including name, address, phone numbers, provider (doctor) names, and current amount owed – was taken. Quest further disclosed that they have reason to believe that “personal, financial, and medical” information was stolen, so there is a possibility that additional LabCorp data may have been taken as well. Right now, it’s too early to tell, but what we know has been taken from both companies’ disclosures is still horrific.

Should you be worried? The answer here is unfortunately yes. Since we know at least some medical information was stolen, the data the thieves have is monumentally private and has the potential to ruin lives. The exceptionally personal information of over 11 million people is now in the hands of an unknown party, and could be sold to other unknown parties at any time. While law-abiding companies and individuals could never use that information, there are those who would not hesitate to use it to blackmail patients and for other nefarious reasons.

What can you do? Right now you can only take the usual steps to help keep yourself safe:

  • Monitor your credit card and bank statements to ensure there are no unusual charges.
  • Get your credit reports at least once a year (every American can get their reports once per year for free from [Get My Free Credit Report | Federal Trade Commission]( and make sure there are no new requests for credit cards, loans, or other incorrect information.
  • For this particular breach, speak to your doctor, dentist, and other medical professionals and ask if they use Quest Diagnostics or LabCorp (they most likely do) – if so, contact the company they use and request that they inform you if your information was ever given to American Medical Collection Agency. If it was, then it may pay to invest in a credit monitoring service from a reputable firm.

As always, you should never interact with anyone who contacts you via email or phone to discuss your medical information or financial information.

  • Politely inform them that you are happy to discuss the issue with their company, but only when you call them.
  • Hang up, find the company in question in the phone book or online, and then YOU call THEM. Do not call any numbers given in an email you receive without asking for it or given to you by a person who calls you directly. If the call is legitimate, whoever takes your call when you phone them will be happy to help you. If you are harassed, threatened, or the caller refuses to accept that you will call them, it is highly unlikely that the call is legitimate.
  • In this particular breach, if anyone reaches out and extorts you for money or tries to get you to perform an action with the threat that they will release your medical information to another party (your family, your employer, etc.), note the time, date, and their phone number if you can see it. Immediately hang up – do not engage with the caller – and call the police or other law enforcement personnel.

Companies can help protect themselves and their customers by demanding that all third-party businesses who they use, contract, or otherwise hold any of their data are following sufficient data security protocols based on the type/amount of data that is held by the third party. This is common in the financial industry, but is slow to happen in the greater business world so far. “Third-party due diligence” is something that every company must begin to require in order to do business with them, or this kind of breach is going to continue to happen over and over again.

Hang in there. This is a particularly bad situation, but if we keep our wits about us and handle unusual credit activity, phone calls, and emails with a small amount of suspicion, we can make sure this data does not lead to anything good for the thieves who stole it.

Update 6/6/19:

After this article was originally submitted, a third testing laboratory – BioReference – released a statement saying that they too were a customer of AMCA and that their data was stolen. This raises the number of individual patients whose data was stolen to 20.1 million.