The Washington PostDemocracy Dies in Darkness

LabCorp discloses data breach affecting 7.7 million customers

LabCorp said a data breach at a third-party company exposed millions of customer files from August 2018 to March, according to a filing with the U.S. Securities and Exchange Commission. (Kiyoshi Ota/Bloomberg)

LabCorp, a medical testing company, said 7.7 million customers had their personal and financial data exposed through a breach at a third-party billing collections company.

The news came just days after the same contractor, American Medical Collection Agency, notified Quest Diagnostics about the full scope of a breach affecting 11.9 million of its patients. That breach allowed an “unauthorized user” to gain access to financial information, Social Security numbers and medical data but not lab results.

“AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data,” LabCorp said in a filing Tuesday with the U.S. Securities and Exchange Commission. “LabCorp takes data security very seriously, including the security of data handled by vendors.”

The breach did not reveal information such as which tests were ordered or lab results, LabCorp said in the filing. But from August 2018 to March, the hacker was able to access names, birthdays, addresses, phone numbers, dates of service, account balances and other information.

The breach also exposed credit card and bank numbers attached to roughly 200,000 accounts, the filing said. AMCA told LabCorp that it was in the process of notifying those patients.

AMCA, which works primarily with health-care companies, said in a statement Wednesday that it learned of the breach from a security firm that works with credit card companies. It has since conducted an internal review, taken down its Web payments page, hired an outside company to review its systems and migrated its Web payments portal to a third-party site. It also said it is providing two years of credit monitoring to anyone whose Social Security number or credit card account was compromised.

“We remain committed to our system’s security, data privacy, and the protection of personal information,” the company said.

Quest Diagnostics discloses breach of patient records

According to the Identity Theft Resource Center, nearly 447 million records were exposed in 1,244 breaches last year. The medical and health-care sector accounted for 363, or 29 percent, of those incidents.

Large corporations are frequent targets. The biggest hack of 2018, against Marriott International, affected 383 million people worldwide. In 2017, the Equifax hack exposed the data of 145.5 million people. And 1 billion Yahoo customers were affected in an attack disclosed in 2016.

The largest hack involving medical data occurred in 2014, when hackers infiltrated the servers of the health insurance company Anthem, compromising the personal information of 79 million people. Anthem subsequently reached a $115 million settlement with victims. Last month, the U.S. Justice Department charged two Chinese nationals in the attack.

Christopher Rowland contributed to this report.