BreachExchange mailing list archives
46, 500 Austin Pathology Patients Added to AMCA Data Breach Victims
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 23 Jul 2019 00:46:34 -0500
https://healthitsecurity.com/news/46500-austin-pathology-patients-added-to-amca-data-breach-victims The massive American Medical Collection Agency breach has added yet another provider to its breach victim tally: Austin Pathology Associates is the third provider within a week to report its patient records were breached during an eight-month hack on the billing services vendor. Retrieval Masters Credit Bureau, AMCA’s parent company, discovered the data security incident in March 2019. An investigation revealed a hacker initially gained access to AMCA’s system on August 1, 2018. The hack lasted for nearly eight months until it was discovered. AMCA informed Austin Pathology of the data security incident in May. However, officials said AMCA failed to provide the specialist with enough information to identify the potentially impacted patients or even confirm the nature of the data impacted during the hack. Austin Pathology is continuing to investigate. Based on the information provided by AMCA, the breached data included patient names, addresses, telephone numbers, dates of birth, dates of service, account balances, banking or credit card information, and provider details. Social Security numbers were not compromised, and Austin Pathology did not provide AMCA with any healthcare records, like laboratory results or clinical history. While AMCA officials told Austin Pathology that it sent about 1,800 breach notifications to the specialist’s patients, the provider estimated that another 44,700 patients may have also had their data compromised, bringing the total impacted to 46,500. Financial data was not compromised for those additional patients. Last week, Clinical Pathology Laboratories reported 2.2 million patients were affected by the AMCA breach, while Penobscot Community Health Center in Maine saw 13,000 patient records compromised. Added to Austin Pathology’s patients, the 11.9 million Quest Diagnostics patients, 7.7 million LabCorp patients, and 422,000 BioReference patients, up to 22.28 million patients have been potentially impacted, so far. As it continues to investigate, Austin Pathology has ended its business relationship with AMCA. The majority of other impacted covered entities, including Quest and LabCorp have also ceased doing business with the billing services vendor. As a result of the loss of business and cost of the breach, AMCA’s parent company filed for Chapter 11 bankruptcy. Quest, LabCorp, and AMCA are currently facing lawsuits, as well as state and Senate investigations. Security researchers have noted that the impact of the breach will continue to reverberate throughout the foreseeable future. “With this type of stolen information, criminals can have a field day running personalized phishing campaigns,” Stuart Reed, vice president of security firm Nominet, told HealthITSecurity in an email. “For example, if they know you are a customer of Clinical Pathology Laboratories and have the dates you visited the lab and any remaining unpaid balance, that creates a perceived level of trust for victims, which can be used to run a whole range of online scams and extortion attacks.” “With a big database, this typically will start at the very top with high net worth targets and become more wholesale as the data ages,” he added. “Protection of data throughout the supply chain is a collective responsibility and any weak point presents a target of opportunity for an attacker.” To Reed, organizations that handle sensitive data need to ensure the security of their vendorsbefore the contracting process, as a way of creating a “joint security posture” that included technology, processes, training, and staff. Further, organizations also need to monitor the Domain Name System (DNS) for any evidence of data theft or unauthorized activity. “In addition to resulting in fines, lost business and brand damage, cyberattacks can also affect organizations’ digital transformation plans,” Reed said. “A quarter of organizations not considering digital transformation acknowledge that it’s because of increased cybersecurity risks.” “As digital transformation grows and swells the attack surface ever wider, a collaborative process that relies on getting risk management and cyber security embedded into the partner relationship early on should become something that’s baked into all supplier contracts as matter of routine,” he added. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- 46, 500 Austin Pathology Patients Added to AMCA Data Breach Victims Destry Winant (Jul 24)