This week, two companies in the healthcare sector announced that their clients were affected by an information security breach. Both LabCorp and Quest Diagnostics were affected, and their data breaches can be traced back to AMCA (American Medical Collection Agency which also does business as Retrieval-Masters Creditors Bureau), a billing collections vendor. Many are pointing out that this cannot be the end of the story; others will undoubtedly be coming forth with news of being affected as well. That’s because AMCA is, according to krebsonsecurity.com:
a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.
While the details of the breach for both healthcare companies differ, two things seem to be in common.
First, the breach took place between August 1, 2018 and March 30, 2019 (a full 8 months!). The site krebsonsecunrity.com used a particular word to describe the situation (emphasis ours):
LabCorp. said it learned that the breach at AMCA persisted between Aug. 1, 2018 and March 30, 2019.
The peculiar word choice seems to imply that the data breach was ongoing throughout that entire period, as opposed to the two dates being the range within which investigators think a single data breach most likely took place.
Second, both companies are claiming that they do not know which of their customers have been affected so far. They merely have the number of people affected and other general details.
LabCorp – 7.7 million
LabCorp has announced that 7.7 million people have been affected. The information exposed to hackers, per their filing with the SEC:
could include first and last name, date of birth, address, phone, date of service, provider, and balance information.
Also potentially affected:
credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)
The company also noted what was not exposed:
LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers
Seeing how AMCA is being described as a debt collector, one should not be surprised at the above. Except, perhaps, the lack of SSNs in the breached data. These are used as a universal identificator and have almost always been included when a major data breach is made public.
It would appear that LabCorp takes its information security duties quite seriously and has sought to minimize exposure of sensitive data to third parties.
Quest Diagnostics – 11.9 million
Quest also had to file paperwork with the SEC (nbcnewyork.com):
(The) information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)
The news site follows with:
While customers’ broad medical information might have been compromised, Quest said AMCA did not have access to actual lab test results, and so therefore that data was not impacted
This is quite the contrast to LabCorp, namely the inclusion of “broad medical information” and SSNs. Seeing how LabCorp didn’t need these for AMCA to do their job, why did Quest Diagnostics provide them? The answer will most likely show up in a lawsuit that invokes the very same question. (One hasn’t been filed yet, but the odds are quite high it will be, if past history is anything to go by).
According to Quest Diagnostics, it was alerted about the breach on May 14 but AMCA did not disclose to them the number of people affected until two weeks later. Quest Diagnostics itself went public with the situation about a week after that. One presumes that the same happened for LabCorp.
Considering the nature of AMCA’s relationship to both companies, it is strongly presumed that it is (among other things) a business associate (BA) as defined under HIPAA, the federal regulation for data privacy and protection when it comes to safeguarding medical information.
HIPAA allows BAs up to 60 calendar days (and not business days; that is, weekends are counted, too) from discovering a data breach to start getting in touch with a “covered entity,” that is, the actual medical body that initially collected and, thus, owns sensitive medical data. A quick calculation shows that March 15 would be the earliest AMCA must have discovered the security incident, assuming that AMCA was sticking to the law; delaying the inevitability of revealing the problem until the last possible moment, like many are wont to do; and, May 14 was the last calendar day in which to reach out to covered entities.
(It should be noted that March 15 is towards the latter end of the data breach “persistence period,” so it’s very likely that AMCA did not actually wait until the 60 days were up).
Generally, you tend to have the particulars of a data breach ready if you’ve known for nearly two months that you had a data breach. It wouldn’t be inconceivable that a BA reaches out to partners at the onset of the discovery to let them know of the situation and promise to provide details later on. But to reach out at the end of a federally-mandated period to the effect of “something happened. Something bad,” and then provide details later on? Almost unheard of.
Makes you wonder what AMCA was doing during all that time.
Many Laws Covering the Same Thing
It could be that AMCA was overwhelmed by the many laws governing data breaches. Not only do all fifty states and US territories have their own laws regarding data breach notifications, different regulatory agencies have their own. Sometimes, exceptions are provided if one law already covers aspects of another one. For example, may state-level data breach notification laws become moot if HIPAA is triggered as well; no sense in sending two notification letters for the same incident, right? There are state laws that do not, however.
In other words, it’s complex (it’s even more complex if you have fingers in many different sectors and industries, assuming that AMCA deals with non-medical debt as well). So, it would be understandable for AMCA to basically be unprepared to give details to their partners even if they’d been dealing with the data breach for a month or two.
On the other hand, HIPAA requires that any organization that deals with medical information to be prepared for just such an event, including BAs. Indeed, HIPAA has many, many requirements, including whether adequate information security is being used to protect private information.
So, was AMCA a bit late in sharing details, if you will, because they weren’t following rules, such as those required by HIPAA? Or was it because the sheer number of laws complicated everything, and AMCA, presumably dealing with non-medical sectors as well, decided that alerting everyone at around the same time would be better than doing it piecemeal, stretched out over weeks – and thus waited to contact HIPAA covered entities while they dealt with all the other laws and regulations?
Again, chances are that this will be revealed in a yet-to-be-filed lawsuit. So, the pros covering information security are right: it’s not the last that we’re going to hear of this data breach.
Related Articles and Sites: