7.7 Million Consumers Affected by an Offense in a Collection Company – Krebs on Security

Giant medical tests LabCorp. said today that personal and financial data relating to some 7.7 million consumers were revealed by an offense committed by a third-party bill collection company. This third – the American Medical Collection Agency (AMCA) – also a recently notified competitor Quest Diagnostics An intrusion into his payment website revealed personal, financial and medical data on nearly 12 million Quest patients.

Only a few days ago, the news revealed how much Quest had suffered a major breach. But today's disclosure by LabCorp. suggests that we are far from having heard of other companies whose millions of consumers were victims because of this incident: AMCA is a New York company with a long history of aggressive debt collection for a wide range companies, including medical laboratories and hospitals, direct marketing specialists, telecommunications companies and national and local traffic / toll agencies.

In a deposit today with the US Securities and Exchange Commission, LabCorp. stated to have learned that the AMCA offense persisted between August 1, 2018 and March 30, 2019. The information given could include name, surname, date of birth, address, phone, date of service, supplier and balance.

"The AMCA affected system also included credit card or bank account information provided by the consumer to AMCA (for those seeking to pay their balance)," the document says. "LabCorp has not provided any controlled tests, laboratory results or diagnostic information to AMCA. AMCA has informed LabCorp that Social Security numbers and insurance identification information are not stored or retained for LabCorp consumers. "

LabCorp added that AMCA had informed LabCorp "that it is sending out notifications to about 200,000 LabCorp consumers whose credit card or bank account information may have been consulted. AMCA has not yet provided LabCorp with a list of relevant LabCorp consumers or more specific information about them. "

LabCorp disclosure comes just days after competing laboratory test company Quest Diagnostics revealed that the piracy of AMCA had revealed the personal, financial and medical data of about 11.9 million patients.

Quest said to have been informed for the first time by the AMCA of the violation on May 14, but that it was only two weeks later that AMCA disclosed the number of affected patients and the information consulted, including financial information (bank account credit card numbers), medical information and social security numbers.

Quest says that he has since stopped doing business with AMCA and hired a security company to investigate the incident. Like LabCorp, Quest also claims that AMCA has yet to report that 11.9 million patients have been affected and that the company concealed information about the incident.

The AMCA refused to answer questions to determine whether the violation of the payment page had an impact on the persons who entered payment data on the company's website during the violation. But through a cabinet of external relations, he issued the following statement:

"We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency's system," reads in a written statement attributed to the AMCA. "After receiving information from a security compliance company working with credit card companies about a possible security compromise, we performed an internal audit and removed our payment page from the Web.

The declaration continues:

"We retained the services of an external third-party legal firm to investigate any potential security breach in our systems. We have migrated our web payment portal services to a third-party vendor. We also retained the services of experts to advise and implement measures to strengthen our systems. Security. We also informed the security forces of this incident. We remain committed to the security of our system, the confidentiality of data and the protection of personal information. "

ANALYSIS

AMCA also does business under the name "Retrieval-Masters Credit Bureau, "A business venture since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they had never incurred.

A search on the name of the company on the complaints page of the Office of Consumer Financial Protection (CFPB) filed nearly 700 complaints for Retrieval Masters. The company has an abominable "F" rating of Better Business Bureau, with 60 complaints lodged against her in the last three years.

A review of a number of these complaints reveals that some other current and / or previous AMCA clients, including EZPass system. Recent consumer complaints about the AMCA also call American Traffic Solutions, which serves fleets of rental cars and processes about 50 million toll transactions a year. TTY has not responded to requests for comments.

I imagine we will soon hear about many other businesses and millions of additional consumers affected by this violation of the AMCA. Certainly companies like Quest and LabCorp. are required to ensure that contractors properly protect the personal, medical and financial information of their patients.

But this AMCA incident is the latest example of an offense committed by a little-known company, which nevertheless holds large amounts of sensitive data that has been shared or stored beyond the control of the consumers concerned.

On May 24, KrebsOnSecurity announced the website of First American Financial, Fortune 500's real estate title insurance giant. [NYSE:FAF] Leak of 885 million documents related to mortgage transactions dating back to 2003, until notification by KrebsOnSecurity. The digitized records – including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts and driver's license images – were available without any authentication at all. anyone with a web browser.

Many readers have written that they have never heard of First American, but it is the largest title insurance company in the United States. Title insurance is generally required for all home mortgages and protects the buyer from all debts unknown to date. First American is currently trading approximately one in four securities insurance transactions – generally as part of the mortgage closing process – which means that tens of millions of Americans are potentially exposed to the company's inexplicably lax security .

Tags: American Medical Collection Agency, American Traffic Solutions, Consumer Financial Protection Bureau, EZPass, LabCorp, violation of Quest Diagnostics, Retrieval-Masters Credit Burea