A third-party billing collections vendor is behind the latest large data breach.

American Medical Collection Agency, a vendor providing collections work for Quest Diagnostics and Lab Corp., had “unauthorized activity” on its web payment page between August 2018 and March 2019. Discovery of the breach began with a cybersecurity firm finding compromised payment cards tied to Health Spending Accounts for sale on the Dark Web in February.

Gemini Advisory, which discovered the payment cards, contacted AMCA but did not get a response, according to news reports. The cybersecurity company then reported its findings to law enforcement. AMCA shut down its payment portal and began notifying its clients in mid-May.

A filing with the SEC by Quest Diagnostics Inc., said the stolen data included “financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers).”  The June 3 filing also says Quest “has not been able to verify the accuracy of the information” it received from AMCA on May 14.

In addition to Quest Diagnostics and Lab Corp., other medical companies’ patients may also have been affected. The current number of affected patients is near 20 million, but the total may grow as other affected collections clients come to light.

We often say a breach can cost you business. Here’s proof, from another 8-K filing by a company called Opko Health Inc. about its affected subsidiary, BioReference Laboratories, Inc.

“BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA. In addition, BioReference has requested that AMCA cease continuing to work on any pending collection requests involving BioReference patients.”

Have you checked on YOUR vendors lately? Contact us for more information!