June 17, 2019

A major breach at a billing provider for the US healthcare sector has exposed the personal and financial information of over 20 million people – and possibly more.

The company, American Medical Collection Agency (AMCA), said the data belongs to Americans who paid for private-sector tests at clinical and blood testing laboratories across the US, using AMCA’s billing portal.

The breach happened after a cybercriminal group compromised the company’s IT network and nicked payment information, which they later put up for sale on darknet data-trading forums.

Exposed data includes many of the key ingredients needed for identity theft: US Social Security (National Insurance) numbers, payment card details, bank account information; as well as names, home addresses, phone numbers, and dates of birth.

Since officially confirming the breach, AMCA’s laboratory partners have begun notifying end customers (e.g. patients) that their personal data is now out there.

Concerns about transparency

Company officials only admitted to the incident after being confronted repeatedly by journalists and analysts, and after law enforcement had been notified.

Security analysts Gemini Advisory first identified ca. 8,000 victims and hundreds of banks. Then additional research revealed that the hack lasted at least seven months and affected more than 200,000 victims. Continuing analysis has revealed a data loss exceeding 20 million records.

Laboratories who had their patient data exfiltrated include Quest Diagnostics (11.9 million patients) and LabCorp (7.7 million patients).

AMCA now say the breach lasted from August 1, 2018, to March 30, 2019, a period of eight months.

Healthcare data: high-value, even at low volume

Cybercriminals place a premium on data held by healthcare organisations. Even when the number of records stolen is low, the information can be used to create fake medical credentials.

These are used to generate false invoices and fraudulently bill for procedures that never happened.

And healthcare breaches are generally on the rise:

  • A data breach at Canada’s Natural Health Services exposed the personal information of roughly 34,000 medical marijuana users – potentially putting them at legal risk were they to visit, or do business in, jurisdictions where such treatments are illegal.
  • A survey of healthcare CSOs and CISOs by security analysts Carbon Black found that sixty six percent thought cyberattacks had become more sophisticated over the past year.
  • According to data collected Information Commissioner’s Office (ICO), UK 43 percent of data breaches target healthcare organisations. A report by Ponemon and IBM found that breaches in healthcare cost twice as much as that of other industries, ca. £325 per stolen record.

Breaches: no place to hide

Despite the value and sensitivity of the customer data they held, AMCA looks to have flubbed its initial response.

They sat on the information and waited too long to alert their business customers. By allowing the news to be announced by others, AMCA created an impression that they weren’t in control.

They had to ‘confirm or deny’ what analysts were telling others.

It’s not a good look.

Post-breach, reputational damage can be serious.

Surveys have shown that judge brands harshly following a major hack. They’re aware of how well companies protect data, and watch how they respond to a breach.

  • Brand reputation can take a big hit, with 41 percent of British consumers saying they will steer clear of a brand forever following a hack.
  • Fifty five percent of UK consumers think their local shop is be a better custodian of data than large companies.
  • Consumer-facing organisations are particularly vulnerable to lost sales after a breach, with up to a third of consumers saying they will take their business elsewhere.

Hacked companies often find the cost of acquiring new customers goes up. If the public reaction to a breach looks shifty and evasive, winning back market confidence will be even harder.

When they’re already here: Browsing the network at will

AMCA’s hack is more evidence that cyber criminals can get past security defences un-noticed, then camp out there while move about the network laterally, making preparations to steal, valuable data and IP.

It can happen to healthcare billing providers, it can even happen to the companies that make the networking kit that gets hacked.

In May we reported that Citrix – a global provider of technology networking equipment and software to Fortune 500 companies – revealed that ‘international cyber criminals’ had been roaming around its own corporate network for half a year.

You might think that a, multi-billion-pound networking tech company, that’s been trading since 1989, and supplying some of the planet’s biggest organisations, would know if someone was casually browsing its network.


They were notified of the hack by the FBI.

Customers and business partners want security assurance

Whether you’re a bank or a mid-sized manufacturer, organisations of all sizes need to work harder when it comes to making customers feel their personal information is secure.

Given the highly-personal nature of healthcare and medical information, establishing and maintaining people’s trust in your cybersecurity capabilities has to be mission critical.

Of course that’s easy to say — hacks and data loss are a regular feature of the business landscape, and will be for the foreseeable future. But remediation costs can be minimised and trust enhanced by how well a company reacts.

Getting the initial response wrong, and knowing that it wasn’t able to detect a breach that was ongoing over months, means the full price AMCA will pay in damage to business relationships, reputation, and lost opportunities might not be apparent for months – or even years.

Alongside better crisis communications, organisations also need to continually assess their security posture – as well as the level of awareness inside the organisation of how sensitive the issue of privacy and data protection has become for end users.

Getting this wrong, or allowing a perception to develop that your organisation doesn’t have its priorities straight where information security is concerned, could be a business killer.

Want to know more?Adding security awareness training to the mix doesn’t have to be a chore. Why not sign up for a free demo and find out how we’re already helping healthcare organisations boost their defences and dramatically improve employee security awareness.

Share this: