Collections firm breach exposes data on 7.7M LabCorp customers

Data exposed could include names, credit card information and medical providers, among other things.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Getty Images

A security breach at a third-party billing collections firm exposed the personal and financial data on as many as 7.7 million LabCorp customers, the medical testing giant said Tuesday.

LabCorp said in a filing with the US Securities and Exchange Commission that it was recently notified of a security breach that occurred at the American Medical Collection Agency between Aug. 1, 2018, and March 30, 2019. The revelation comes a day after Quest Diagnostics said 11.9 million of its patients may have been exposed in a data breach at the AMCA, an external collections agency used by LabCorp and other companies in the health care industry.

LabCorp said the information that could've been exposed includes customers' first and last names, dates of birth, addresses, phone numbers, dates of service, medical provider and balance information.  

"AMCA's affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)," LabCorp said in its filing. "LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security numbers and insurance identification information are not stored or maintained for LabCorp consumers."

LabCorp said the AMCA is in the process of informing the approximately 200,000 LabCorp customers whose financial information might've been accessed. The medical testing company said the AMCA hasn't yet provided it with a list of the affected LabCorp customers.

LabCorp also said that as a result of the breach, it's stopped sending new collection requests to the AMCA and suspended the AMCA's work on any pending requests related to LabCorp customers.

Law enforcement officials have long warned health care industry companies that they may face an increased risk of data breach attacks. A hack of Anthem in 2015 affected up to 78.8 million people using the health insurance giant, exposing sensitive data such as names, Social Security numbers, phone numbers, email addresses, incomes and birthdates.

LabCorp declined to comment beyond its SEC filing. AMCA said it conducted an internal audit after being notified of the breach by an outside security compliance firm and took down its web payments page. The company has also hired a third-party forensics firm to investigate the breach and has notified law enforcement.

"We remain committed to our system's security, data privacy, and the protection of personal information," AMCA said in a statement.