A data-security services firm says it has spotted approximately 200,000 payment card numbers in online fraudster marketplaces stolen from a collections firm serving diagnostic laboratories, but it expects more to come up for sale later.
Secaucus, N.J.-based Quest Diagnostics Inc. reported Monday that financial and other data on some 11.9 million of its patients was compromised in a data breach that lasted from Aug. 1 to March 30. The breach targeted the online payment page of American Medical Collection Agency, which provides collection services to Optum360, which in turn is a Quest contractor. Quest said the breach affected patients’ credit card and bank-account information, Social Security numbers, and medical information, but not laboratory test results.
New York City-based Gemini Advisory LLC, which monitors the Dark Web in attempts to find its clients’ stolen data, said in a Tuesday blog post that it first “identified a large number of compromised payment cards” on Feb. 28. About 15% of the records also included such personally identifiable information as dates of birth, Social Security numbers, physical addresses, and email address.
Christopher Thomas, an intelligence production analyst at Gemini Advisory, tells Digital Transactions News that all of the financial records it has spotted so far are payment card data, not bank-account information. “While 200,000 records have currently been posted for sale, it is common for cybercriminals to post compromised data to the Dark Web in installments, so the number of records may well increase,” Thomas says by email.
The breach indeed holds the potential to wreak ongoing havoc. Quest is not AMCA’s only client, the Gemini report notes. Another big diagnostics firm, LabCorp, said in a Tuesday regulatory filing that it has sent personal and financial data on 7.7 million consumers to AMCA. “AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank-account information may have been accessed,” the LabCorp filing says. “AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.” It wasn’t immediately clear if all of the 200,000 records Gemini spotted originated with LabCorp.
Plus, some of the known compromised records were linked to health-savings accounts. HSAs are tax-advantaged accounts consumers can use to save funds to cover medical expenses, and some come with prepaid cards. “While we do not know the exact number of compromised HSAs, some of the most affected financial institutions in this breach primarily focus on HSAs,” says Thomas.
After finding the card numbers on the fraudster marketplaces, Gemini researchers concluded they came from something other than an online retailer. “Since the records we observed contained information such as date of birth and Social Security number, we determined that the compromised records came from an online portal that requires more personally identifiable information than average online retailers,” Thomas says.
“An in-depth analysis of the affected financial institutions indicated that it was a health provider, and through collaboration with partner banks we determined that the source of the compromised records was AMCA.”
Gemini Advisory said AMCA took its online payment portal offline from April 8 to May 2. Gemini also said it alerted AMCA to its findings, but received no response. Quest, meanwhile, said in its statement that “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data-security incident, including which information of which individuals may have been affected.”
Exactly how the breach happened hasn’t been revealed, but in a statement, AMCA said Wednesday that an “unauthorized user” accessed its system.
“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our Web payments page,” the statement says. “We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our Web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”
AMCA also said it is providing 24 months of credit monitoring to anyone who had a Social Security number or credit card account compromised, even if the relevant state doesn’t require it.