Medical Data Breach Hits 20 Million: What to Do Now

Another 7.7 million medical patients may have been affected by the American Medical Collections Agency (AMCA) data breach revealed earlier this week, joining the 11.9 million clients of Quest Diagnostics whose personal data is already thought to have been compromised.

Credit: wk1003mike/Shutterstock

(Image credit: wk1003mike/Shutterstock)

North Carolina-based Laboratory Corporation of America Holdings, aka LabCorp, revealed in a Securities and Exchange Commission filing  yesterday (June 4) that "approximately 7.7 million" of its customers may have been affected by "unauthorized activity on AMCA's web payment page."

The compromised personal data "could include first and last name, date of birth, address, phone" and "credit card or bank account information," according to LabCorp's SEC filing. The data does not seem to include Social Security numbers, putting LabCorp customers at somewhat lower risk of identity theft than Quest's customers.

The filing says that AMCA itself thinks only 200,000 LabCorp customers were directly affected. AMCA is notifying them and will offer them "identity protection and credit monitoring services for 24 months."

What to do

If you get a notification that your personal information or credit card information was compromised in the AMCA breach, review your credit-card statements for the past year and immediately contact your card issuer about any discrepancies. The unauthorized access to AMCA's systems apparently began Aug. 1, 2018 and continued until March 30, 2019.

Use to obtain at least one current credit report, look the report over, and contact the parties involved if there's anything unusual. Take up AMCA on its identity-protection-service offer if you receive one.

MORE: What to Do If You're Hit by a Data Breach

Unfortunately, LabCorp still doesn't know who its affected customers are, because "AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them."

Like Quest, LabCorp runs a vast network of clinical-testing labs. LabCorp's website states that it had $11.3 billion in revenue last year and employs nearly 61,000 people worldwide.

The SEC filing states that "LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA," so actual medical records and reports are not part of this breach.

More shoes yet to drop

We suspect that this is not the last time we'll be hearing about the AMCA breach. AMCA specializes in collecting overdue payments from people who haven't paid their medical bills, and the AMCA website says its clients include "hospitals," "physician groups" and "third-party providers" as well as clinical labs. There may be many more companies in the medical industry coming forward to say their clients were impacted.

Futhermore, AMCA is not limited to the medical field. Independent security reporter Brian Krebs noted in a blog posting about the LabCorp disclosure that AMCA also does business as Retrieval Masters Creditors Bureau. He unearthed some Consumer Financial Protection Bureau and Better Business Bureau complaints that indicated Retrieval Masters handles bill collection for the E-Z Pass road-toll collection service in the Northeastern U.S.

A little Googling reveals a lot of complaints online that Retrieval Masters tries to collect money from people who say they don't actually owe any, but also that the company may handle bill collections for restaurants and magazine subscriptions as well.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.