A day after Quest Diagnostics said its customers’ data has potentially been compromised, rival LabCorp said its patients’ personal information may have been exposed, too.
LabCorp said its third-party billing collections vendor, American Medical Collection Agency, notified the bloodwork company that hackers gained access to AMCA’s online payment system. The unauthorized access took place between August 1, 2018, and March 30, 2019, LabCorp said.
The company said it has referred millions of customers to AMCA for billing collections, and 7.7 million customers had their data stored in the hacked system.
AMCA’s system stored customers’ first and last names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of service, health care provider information, and the amount customers owed. LabCorp said it did not provide AMCA with information about tests, lab results, or diagnostic information. AMCA said it did not store Social Security numbers.
LabCorp said it believes about 200,000 customers’ credit card or bank account information may have been accessed, and it is sending notices to those customers. It said AMCA plans to offer affected customers identity protection and credit-monitoring services for two years.
LabCorp said it will no longer do business with AMCA. The collections agency did not respond to a request for comment.
The announcement came a day after Quest Diagnostics said its customers’ information was also potentially breached in AMCA’s hack. Unlike LabCorp, Quest said the exposed information may have included Social Security numbers and medical information, but not test results. Quest said it has referred 11.9 million customers to AMCA.
Quest also said it has stopped using AMCA for billing and that it was using “forensic experts” to examine the issue.
Both LabCorp and Quest said AMCA continues to investigate the scope and cause of the hack and has not yet provided detailed information about the incident, including which customers might have been affected.
“LabCorp takes data security very seriously, including the security of data handled by vendors,” the company said Tuesday.
Quest said Monday it remains “committed to keeping our patients, health care providers, and all relevant parties informed as we learn more.”