BreachExchange mailing list archives
UPDATE: 8 More Providers Added to AMCA Data Breach Victims
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 26 Jul 2019 09:02:00 -0500
https://healthitsecurity.com/news/46500-austin-pathology-patients-added-to-amca-data-breach-victims Eight covered entities have been added to the victim tally of the massive American Medical Collection Agency breach, which has now claimed a total of up to 25 million breached patient records. Austin Pathology Associates became the third provider within a week to report its patient records were breached during the eight-month hack on the billing services vendor. Shortly after, seven more covered entities reported they too were impacted: Natera, American Esoteric Laboratories, CBLPath, South Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology, and Laboratory of Dermatopathology ADX. In total, more than 774,640 patients have been added to the breach by these covered entities (Natera did not disclose how many of its patients were impacted). Retrieval Masters Credit Bureau, AMCA’s parent company, discovered the data security incident in March 2019. An investigation revealed a hacker initially gained access to AMCA’s system on August 1, 2018. The hack lasted for nearly eight months until it was discovered. AUSTIN PATHOLOGY ASSOCIATES AMCA informed Austin Pathology of the data security incident in May. However, officials said AMCA failed to provide the specialist with enough information to identify the potentially impacted patients or even confirm the nature of the data impacted during the hack. Austin Pathology is continuing to investigate. Based on the information provided by AMCA, the breached data included patient names, addresses, telephone numbers, dates of birth, dates of service, account balances, banking or credit card information, and provider details. Social Security numbers were not compromised, and Austin Pathology did not provide AMCA with any healthcare records, like laboratory results or clinical history. While AMCA officials told Austin Pathology that it sent about 1,800 breach notifications to the specialist’s patients, the provider estimated that another 44,700 patients may have also had their data compromised, bringing the total impacted to 46,500. Financial data was not compromised for those additional patients. As it continues to investigate, Austin Pathology has ended its business relationship with AMCA. The majority of other impacted covered entities, including Quest and LabCorp have also ceased doing business with the billing services vendor. Natera In May, Natera was notified by AMCA its records were included in the hack and were provided with a list of the patients impacted. The notification did not outline the amount. Officials said AMCA was only provided with limited information by Natera. As a result, the breach only compromised patient names, addresses, Natera patient identification numbers, AMCA account numbers, and credit card numbers. AMERICAN ESOTERIC LABORATORIES (AEL) AEL was also notified about the breach in May, which impacted a total of 541,900 patients. Officials said they launched their investigation with help from a third-party cybersecurity firm into the security incident to identify the impacted patients and the scope of the breach. Patient names, addresses, phone numbers, dates of birth, treatment provider details, balance information, and dates of service were compromised. Since the security incident, AEL has stopped using AMCA for collection efforts. CBLPATH With help from an outside cybersecuriry team, CBLPath launched its own investigation into the incident soon after AMCA informed them of the breach in May. They found that 148,900 patient records were compromised, which included names, addresses, phone numbers, dates of birth, balance details, treatment provider information, and dates of service. CBLPath has also stopped using AMCA for its debt collection services since the breach. SOUTH TEXAS DERMATOPATHOLOGY Much like the notifications from the other impacted covered entities, South Texas Dermatopathology officials said AMCA did not provide enough information in its initial reporting to help the covered entity determine what patients were impacted in the event. As a result, South Texas Dermatopathology is continuing to investigate. So far, the provider has determined patient names, addresses, phone numbers, dates of birth, dates of servce, balance information, credit card or banking data, and treatment provider information were compromised. AMCA told the provider that Social Security numbers were not breached during the hack, and South Texas Dermatopathology does not provide AMCA with health information. While AMCA has only sent 1,200 patients breach notification letters, the investigation by South Texas Dermatopathology found that another 14,900 patients were involved. Those patients did not have their credit or banking details breached. In total, 16,100 patients were included in the hack, which was limited to its US patients. SEACOAST PATHOLOGY The Seacoast Pathology investigation is still ongoing, as officials said AMCA did not provide them with enoguh information to fully determine the scope of the breach. Based on AMCA's reporting, officials said patient names, contact information, dates of service, balance information, credit card or banking information, and treatment provider details were compromised for about 800 patients. However, Seacoast determine another 9,200 patient records were breached, bringing the total number to 10,000. Social security numbers and health data were not included, and ony US patients whose accounts were referred for debt collection were involved. ARIZONA DERMATOPATHOLOGY According to local news outlet ABC15, about 7,000 Aurora Diagnostics Arizona Dermatopathology patient records were included in the breach. Further details into the impacted information was not disclosed. LABORATORY OF DERMATOPATHOLOGY ADX (LDA) LDA was also informed by AMCA of the breach in May, and much like many of the other covered entities, LDA officials said they were not provided enough information by AMCA to adequately understand the scope of the incident. As a result, LDA's investigation is ongoing. At the moment, LDA believes that patient names, addresses, phone numbers, dates of birth, dates of service, balance information, credit card or banking information and treatment provider information were compromised. Social security numbers and health information were not breached. AMCA sent notifications to just 240 patients informing them of the data breach. But LDA estimated that another 4,000 patients were involved, though their financial information was compromised. THE IMPACT Last week, Clinical Pathology Laboratories reported 2.2 million patients were affected by the AMCA breach, while Penobscot Community Health Center in Maine saw 13,000 patient records compromised. Added to Austin Pathology’s patients, the 11.9 million Quest Diagnostics patients, 7.7 million LabCorp patients, and 422,000 BioReference patients, up to 22.28 million patients have been potentially impacted, so far. With today's added breach victims, the total amount of patients impacted has reached well over 25 million. As a result of the loss of business and cost of the breach, AMCA’s parent company filed for Chapter 11 bankruptcy. Quest, LabCorp, and AMCA are currently facing lawsuits, as well as state and Senate investigations. Security researchers have noted that the impact of the breach will continue to reverberate throughout the foreseeable future. “With this type of stolen information, criminals can have a field day running personalized phishing campaigns,” Stuart Reed, vice president of security firm Nominet, told HealthITSecurity in an email. “For example, if they know you are a customer of Clinical Pathology Laboratories and have the dates you visited the lab and any remaining unpaid balance, that creates a perceived level of trust for victims, which can be used to run a whole range of online scams and extortion attacks.” “With a big database, this typically will start at the very top with high net worth targets and become more wholesale as the data ages,” he added. “Protection of data throughout the supply chain is a collective responsibility and any weak point presents a target of opportunity for an attacker.” To Reed, organizations that handle sensitive data need to ensure the security of their vendorsbefore the contracting process, as a way of creating a “joint security posture” that included technology, processes, training, and staff. Further, organizations also need to monitor the Domain Name System (DNS) for any evidence of data theft or unauthorized activity. “In addition to resulting in fines, lost business and brand damage, cyberattacks can also affect organizations’ digital transformation plans,” Reed said. “A quarter of organizations not considering digital transformation acknowledge that it’s because of increased cybersecurity risks.” “As digital transformation grows and swells the attack surface ever wider, a collaborative process that relies on getting risk management and cyber security embedded into the partner relationship early on should become something that’s baked into all supplier contracts as matter of routine,” he added. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- UPDATE: 8 More Providers Added to AMCA Data Breach Victims Destry Winant (Jul 26)