- Clinical laboratory giant LabCorp disclosed Tuesday 7.7 million patients' personal and financial data was exposed during the same data incident rival Quest Diagnostics announced Monday.
- One of LabCorp's billing collections vendors, the American Medical Collection Agency (AMCA), experienced unauthorized activity on its web payment page between Aug. 1 and March 30. In a Securities and Exchange Commission disclosure, the company said Social Security numbers, insurance identification information and laboratory results were not exposed during the breach.
- LabCorp announced AMCA is in the process of sending notices to 200,000 patients whose credit card or bank account information may have been accessed. Those customers will be offered identity protection and credit monitoring services for 24 months, according to AMCA.
LabCorp is the latest victim of AMCA's breach. The security incident is adding to the heightened state of supply chain-style attacks, where bad actors compromise a company through its third-party service providers.
Supply chain cyberattacks increased by almost 80% in 2018 as hackers take advantage of trusted ecosystems and they're attractive to hackers for a number of reasons. For example, intercepting software updates through the supply chain is easier to execute than exploiting zero-day vulnerabilities. The process is made easier for hackers when companies have updates automated.
Further investigations into the AMCA breach is underway. More actions may be taken once LabCorp receives additional information about the AMCA data breach, the company said.
"In response to initial notification of the AMCA Incident, LabCorp ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers," the SEC notice states.
Last July, LabCorp was the target of a ransomware attack that cost the company $24 million and resulted in it pulling parts of its IT system offline.