LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Just a few days ago, the news was all about how Quest had suffered a major breach. But today’s disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident: The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.

In a filing today with the U.S. Securities and Exchange Commission, LabCorp. said it learned that the breach at AMCA persisted between Aug. 1, 2018 and March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the filing reads. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

LabCorp further said the AMCA has informed LabCorp “it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

The LabCorp disclosure comes just days after competing lab testing firm Quest Diagnostics disclosed that the hack of AMCA exposed the personal, financial and medical data on approximately 11.9 million patients.

Quest said it first heard from the AMCA about the breach on May 14, but that it wasn’t until two weeks later that AMCA disclosed the number of patients affected and what information was accessed, which includes financial information (e.g., credit card numbers and bank account information), medical information and Social Security Numbers.

Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. Much like LabCorp, Quest also alleges the AMCA still hasn’t said which 11.9 million patients were impacted and that the company was withholding information about the incident.

The AMCA declined to answer any questions about whether the breach of its payment’s page impacted anyone who entered payment data into the company’s site during the breach. But through an outside PR firm, it issued the following statement:

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

The statement continues:

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”


The AMCA also does business under the name “Retrieval-Masters Credit Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed.

A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years.

Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system. Recent consumer complaints about the AMCA also invoke the name of American Traffic Solutions, which services rental car fleets and processes some 50 million toll transactions per year. ATS did not respond to requests for comment.

My guess is we will soon hear about many other companies and millions more consumers impacted by this breach at the AMCA. Certainly, companies like Quest and LabCorp. have a duty to ensure contractors are properly safeguarding their patients’ personal, medical and financial information.

But this AMCA incident is the latest example of a breach at a little-known company that nevertheless holds vast quantities of sensitive data that was being shared or stored in ways that were beyond the control of affected consumers.

On May 24, KrebsOnSecurity broke the news that the Web site for Fortune 500 real estate title insurance giant First American Financial [NYSE:FAF] leaked 885 million documents related to mortgage deals going back to 2003, until notified by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

Many readers wrote in to say they’d never heard of First American, but it is the largest title insurance company in the United States. Title insurance is generally required for all home mortgages, and it protects the buyer from any previously unknown claims against the property. First American currently handles about one in every four title insurance transactions — usually as part of the mortgage closing process — which means tens of millions of Americans were potentially exposed by the company’s inexplicably lax security.

What is Network Security in Today’s Day and Age?

Network security is a high priority for any business these days. With many organizations having a distributed workforce, multiple OS platforms to support, and an increasing number of IoT devices coming into play, managing the security of an organization’s network and the vital data it carries can be a complex task.

There are a multitude of tools, applications and utilities on offer to help secure your network, but just where do you start and how can you be sure that what you’ve implemented is really keeping you protected? In this post, we take a look at the fundamentals of modern network security to give you a head start.

What is Network Security in Today's Day and Age_ (1)

Defining Network Security

What is Network Security? With so many terms bandied around in the world of cybersecurity it can be difficult to get a clear sense of the scope of such a broad term as ‘network security’. Let’s start by contrasting ‘network security’ with ‘endpoint security’. Whereas endpoint security concerns protecting a device from intrusion and misuse, network security is the same concerns applied to the entire network of interconnected devices in your organisation, and that includes the devices themselves and the data communicated between them, both in transit and at rest.

image of network data transfer

That definition means that endpoint security is part-and-parcel of your network security – a compromised device can serve as a pivot point into other devices on your network – but there’s much more to it than that. There’s also the question of how you control both users and devices within your network and how you detect and respond to anomalous behavior.

Network security also incorporates the policies and procedures you put in place to protect your assets such as password management, two-factor authentication and even three-factor authentication such as fingerprint identification and facial or retinal scans.

Why is Network Security Needed?

Once upon a time, an organisation would put up a firewall and conduct all its activities behind that supposedly impenetrable wall. However, as organisations have changed their practices and attackers have changed their tools, tactics and procedures, simply relying on a firewall has become increasingly inadequate.

With many organisations now using or moving to cloud or hybrid cloud technology, mobile devices and remote workers, as well as communication across timezones, it’s simply not realistic to expect all your users to be sitting cosily side-by-side on a corporate network.

More importantly, relying solely on a firewall presents a single-point of failure. Aside from the denial of service attacks against your perimeter, modern networks are under increasing risk of being penetrated through supply-chain attacks, DNS hijacking, phishing and spear-phishing campaigns and fileless malware, to name just a few. The modern threatscape essentially means that security needs to be distributed throughout your endpoints, rather than concentrated around the edges with a few supposedly “iron boxes”. If not, your network becomes entirely vulnerable once that thin outer layer is penetrated.

Network security is also not just about external threats, but also the misuse or abuse of data and company assets by internal threats, too. For example, nearly a third of all data breaches in the healthcare industry have been attributed to insiders, either from wrongdoing or human error. In the financial sector, some 60% of cyber-attacks have been attributed to privileged users, third-party partners, or malicious employees. 

How Does Modern Network Security Work?

Because of the need to protect at more than just the perimeter, modern network security takes a defense in depth approach. It all begins with visibility because you cannot protect against a threat that you cannot see. Therefore, modern network security requires that all endpoints have protection that offers admins the ability to see into their traffic, including encrypted traffic, as many threat actors have already moved to using SSL certificates and https connections.

image of sentinel one console
image of sentinel one console network view

Once you have visibility, defense in depth can be applied by first thinking about prevention. Ensure that access control policies are in place that will block unauthorized use, and limit the access of authorized users to the assets that they need. If you have, for example, a network with a bunch of IoT devices connecting to it, there’s really no need for those devices to access large parts of your network that are unrelated to their intended functions.

Devices should also have security software that incorporates application Firewall controls. This allows the network admin to manage permitted traffic to and from every endpoint. On top of that, device control to prevent attacks from malicious USBs and other peripherals is also an essential part of protecting your network through securing ports that can be physically accessed on your endpoints.

After prevention, the next layer of defense in depth is detection. That means looking for and recognising anomalous behavior. The best way to do this is through behavioral AI software, but beware that not all “Next-Gen” security solutions are created equal. Just how effective they are depends greatly on the datasets the AI has been trained on, rather than any particular algorithm. 

A modern approach to network security means realising that breaches are sometimes going to happen. The attack surface is so vast that it would be naive to think that your prevention and detection is undefeatable by a determined attacker. Therefore, you need a response plan, aided and abetted by security solutions that can take autonomous action to remediate threats when they are detected.

A GIF demonstration of SentinelOne’s Active EDR (endpoint detection and Response) platform.

In the longer term, think about how you can incorporate a DevOps or SecOps mindset into your organizational management. With these kinds of approaches, network security becomes an intrinsic consideration at every level of decision-making.

How Can Network Security Be Tested?

So how can you know if your defenses are good enough? This is where network security testing comes into play. Vulnerability assessment, also commonly known as “pentesting”, involves simulating attacks against your own network to see how your tools, people and procedures hold up against an attacker. “Stress testing” your defenses takes skill – and permission – and is best undertaken by qualified penetration testers with clear limits and objectives agreed beforehand. 

Exactly what a penetration test will involve depends on the specific terms you agree with your tester, but there are typically three stages: a vulnerability scan, an in-depth penetration test and a risk analysis performed on any vulnerabilities discovered. 

Preliminary scans are often undertaken with automated tools that look for known CVE vulnerabilities. While these are useful to cover the basics, they will not offer insight into unreported vulnerabilities nor test the strength of your defenses under active or persistent attack. 

An in-depth penetration test, however, if conducted by a suitably qualified “white hat” or “ethical hacker” should do exactly that, but it’s important to work with your tester to agree the rules of engagement and the scope of the test. Commonly deployed tools include metasploit, burp, wireshark, nmap and include various ways to get domain admin access on your internal network. However, be sure your tester is doing more than just running “off-the-shelf” attacks and is actually capable of customising his attacks to the attack surface your environment presents. 

Regardless of whether your pen tester performs the risk analysis stage or not, the outcome of a good penetration test should be a clear, digestible and itemised report – not a hocus-pocus of high-level geek-speak – detailing any vulnerabilities. Expect and insist upon clear instructions that will enable you or your own IT staff to reproduce the issue. If it isn’t reproducible by your own team, you cannot confirm that it’s a real security vulnerability.

A good penetration tester should also provide recommendations on mitigation, although these always need to be taken in light of your organization’s other needs and priorities. Either the tester or another analyst should conduct a risk analysis of specific vulnerabilities. Does the vulnerability represent a financial risk, possible data loss or compliance failure? What is the likelihood of it being exploited and the potential impact on the company?


It is important for your organization to deliver services customers and employees demand, but to do so you need to protect your network. Good network security not only helps protect your IP and customer data, it also protects your reputation. By combining multiple layers of defense throughout your network – not just at the perimeter – with appropriate policies, controls and a Next-Gen endpoint security solution, you can give authorized users access to the network resources they need while blocking those trying to carry out attacks.

If you’d like to see how the SentinelOne solution can help you in this fight, listen to our customers explain why they chose SentinelOne or better still, give it a try for yourself with a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security