AGs Warn ACMA Breach Impact Rose to Over 20 Million

Written by

After the data of more than 20 million patients was potentially exposed during the cyber-attack against American Medical Collection Agency (AMCA), the third-party collection agency for laboratories, hospitals, physician groups, medical providers and others, attorney generals (AGs) in such states as New Jersey, Illinois, Connecticut and Maryland have started alerting citizens and looking for answers to exactly what happened.

“The healthcare industry may be the most vulnerable of all industries to cyber-attacks. It's about the data healthcare operators have access to. In the AMCA cyber-heist, data stolen included patient PII [personally identifiable information] and lab test info but also included healthcare provider info, credit/debit card info, bank account info and social security numbers. This was a ‘treasure trove’ of data to a cyber-thief,” said Jonathan Deveaux, head of enterprise data protection at comforte AG.

The third-party data breach impacted both Quest Diagnostic and LabCorp, as well as BioReference Laboratories, CareCentrix and Sunrise Laboratories. According to LabCorp’s disclosure notice, “That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance).”

Maryland AG Brian E. Frosh warned consumers to review their financial and medical records, according to WJZ-13. “Massive data breaches like the one experienced by the AMCA are extremely alarming, especially considering the likelihood that personal, financial, and medical information may now be in the hands of thieves and scammers,” Frosh told WJZ-13. “I strongly urge consumers to take steps to ensure that their information and personal identity is protected.”

Armed with this collection of patient data, criminals are in a good position to fraudulently collect money from those patients, according to Tim Erlin, VP, product management and strategy at Tripwire. “Imagine if you received an email with accurate details about a medical bill you actually have and a link to make a payment. It only takes a handful of people to fall for this scam in order for it to be worthwhile for the criminal.”

What’s hot on Infosecurity Magazine?