American Medical Collection Agency (AMCA), a collection agency that collects on behalf of LabCorp and Quest Diagnostics, experienced a massive data breach that exposed consumer personal data and payment information.
On Monday, June 3, Quest Diagnostics filed a disclosure statement with the U.S. Securities and Exchange Commission (SEC) about the incident. The report states that there was “unauthorized access” to AMCA’s web payment page between August 1, 2018, and March 30, 2019. The affected system contained records of approximately 11.9 million consumers.
The following day on Tuesday, June 4, LabCorp filed a similar, more descriptive disclosure statement with the SEC, likewise stating that there was “unauthorized activity” on AMCA’s web payment page during the same period. AMCA serviced approximately 7.7 million consumers on behalf of LabCorp, and AMCA is sending approximately 200,000 consumers notices that the breach has potentially compromised their credit card or bank account information. The compromised information “could include first and last name, date of birth, address, phone number, date of service, provider and balance information” as well as payment information for those who sought to make payments. The compromised system does not store social security numbers or insurance identification information, according to the disclosure.
In a statement obtained by Krebs on Security, AMCA says:
We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.
Since collection agencies handle personal and sensitive information about consumers, data privacy is a very important topic. insideARM received some insights from industry experts on what the AMCA data breach means for debt collectors.
Josh Allen, CEO of Revenly, a digital engagement platform for collection companies built with consumer experience and data security as its cornerstones, states:
This should be a wakeup call for collection companies who are using -- or thinking of using -- digital engagement platforms to interact with and collect payments from consumers. While digital assets can cut costs, cutting corners can lead to disaster.
Agencies need to carefully consider their path: either build your own asset or buy one from an outside resource. Many agencies are not well-equipped to build their own consumer-facing asset, which can cost more than seven figures, while also maintaining annual security requirements to accept credit cards and other forms of electronic payments. Many try, but they miss critical steps.
As more agencies see the value of digital engagement to their bottom line, they also need to consider the investment and staffing requirements for properly implementing these solutions. A cheap solution is not always the best solution.
Brian McManamon, President and CEO of TECH LOCK, adds:
The breach of AMCA demonstrates receivables management firms, and the sensitive consumer data we are required to manage, are on the radar of hackers who continue to become more sophisticated. As hackers become more proficient, compliance with key security standards such as PCI DSS or HITRUST is only one component of an overall cybersecurity strategy and framework. In this instance, the entity that breached AMCA was present and undetected for 8 months. To appropriately protect the consumer data with which we are entrusted, it requires a strategic security platform that must include 24/7/365 monitoring, detection and response resources. This breach also demonstrates the importance of requiring partners who access your protected data to undergo a third-party assessment. As this unfortunate breach indicates, the importance of implementing a strategic security platform continues to grow.
New York—where AMCA is located—rolled out sweeping cybersecurity rules through its main financial regulator, the Department of Financial Services (NYDFS). The cybersecurity rules went through a gradual implementation process, with the full implementation by March 1, 2019. The final implementation step included establishing policies for third-party vendors that called for, among other things, risk assessments. According to the SEC filings, the data breach ended around March 30, 2019. The details of the incident are not released yet, but it will be interesting to see if the final implementation step of the NYDFS rules led to the discovery of the incident considering the temporal proximity.