This article is more than 1 year old

Bloody awful: Hell-thcare hackers break into databases of 20m medical test biz patients

Outsourced silos of personal info raided, at least 200,000 payment details swiped

Hackers have raided databases containing millions of medical test lab patients' personal and payment information, making off with at least hundreds of thousands of people's banking details.

The ransacked data stores were maintained by American Medical Collection Agency (AMCA) on behalf of blood-testing biz LabCorp and medical-testing giant Quest Diagnostics.

On Tuesday this week, LabCorp sent a filing to America's Securities and Exchange Commission notifying the regulator that a database of 7.7 million of its patients – a database outsourced to payment collections agency AMCA – had been broken into by hackers. That silo stored people's first and last names, dates of birth, addresses, phone numbers, and amounts of money owed or paid. Furthermore, approximately 200,000 entries containing credit card or bank account info were almost certainly siphoned off by the miscreants.

The intrusion occurred between August 1, 2018, and March 30, 2019, when crooks infiltrated AMCA's web payment portal. Labcorp said it has now terminated its relationship with AMCA.

"AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information," LabCorp told the US securities watchdog. "AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)."


Don't have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)


If there is any good news to be had for LabCorp customers in all of this, it is that the compromised database did not include any medical records nor test results.

AMCA did not respond to a request for comment on the matter. LabCorp said the debt collection agency will notify the 200,000 people whose records were likely accessed and offer them free credit monitoring and identity protection services for two years.

The LabCorp filing comes just one day after Quest Diagnostics submitted its own notification to the SEC. That paperwork disclosed that nearly 12 million Quest customers likewise had their records exposed to hackers between August 1 and March 30 of this year, though declined to reveal exactly how many may or may not have had their records actually swiped. The data was, again, stored by AMCA, and managed via Quest's contractor Optum360.

Quest indicated its exposed customer information included personal and financial information, social security numbers, and medical details, though no test results, putting those 12-or-so million people at a higher risk of identity theft.

"Between August 1, 2018 and March 30, 2019, an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself," Quest's filing reads. "The information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers).

"As of May 31, 2019, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people; and AMCA has been in contact with law enforcement regarding the incident."

Quest has also suspended its use of AMCA for at least the time being. ®

More about


Send us news

Other stories you might like