Jun 7, 2019 | Consumer Protection, Employment & Technology Archive
Reportedly, “[t]he research team at vpnMentor discovered a major data leak at the Tech Data Corporation (NASDAQ: TECD), a Fortune 500 company providing tech products, services, and solutions globally.” Further,“vpnMentor’s researchers, led by security researchers Noam Rotem and Ran Locar, identified the consequential data breach that exposes access to 264GB of Tech Data’s client servers, invoices, SAP integrations, plain-text passwords, and much more.” [Emphasis added.]
vpnMentoralso reported that “Tech Data – the 45 year old veteran infrastructure solutions company working with vendors such as Apple, Cisco, Samsung, Symantec, et al – had a full database leak that seemed to affect much of the corporate and personal data of clients and employees.” According to vpnMentor, the data included, among other things, private API keys, bank information, payment details, and user names and unencrypted passwords.
According to Techcrunch.com,
[t]he server was running a database used for logging internal company events for its StreamOne cloud service, which let customers buy cloud services from a variety of providers and vendors. The logging data contained error data that Tech Data staff can use to troubleshoot issues that arise when customers try to buy service online.
But the tech giant did not put a password on the server, allowing anyone with a web browser to look over daily logs for the last several months.
. . .
TechCrunch also obtained a portion of the records, which [was] examined for authenticity.
The database contained an array of data, but [TechCrunch] found large swathes of customer data, including names, postal addresses and email addresses, job titles and invoicing data and receipts. The records also contained partial payment information, such as card type, cardholder names and expiry dates.
Aside from obfuscated card numbers, none of the data was encrypted.
It’s not known exactly how many customer records are in the database. The portion of data . . . obtained contained data on tens of thousands of customers — but the database was vastly bigger in size. [Emphasis added.]
Jun 7, 2019 | Consumer Protection, Employment & Technology Archive
On June 6, 2019, Bleepingcomputer.com reported that “Medical tests and medication firm OPKO Health Inc present in over 30 countries says that one of its subsidiaries, BioReference Laboratories Inc, was notified by American Medical Collection Agency (AMCA) of unauthorized activity on its web payment page.”
Bleepingcomputer.com also reported that:
This new breach notification follows previous breach reports received by diagnostic services provider Quest Diagnostics Incorporated and Laboratory Corporation of America Holdings (LabCorp) from AMCA.
In these two breaches alone, roughly 19 million of their customers having been impacted by unauthorized access to the companies’ data stored on AMCA’s systems. [Emphasis added.]
On June 7, 2019, TechNadu.com reported the following:
OPKO Health Inc., the Miami-based medical products, diagnostics, and pharmaceuticals company has announced a customer data breach that affects about 422600 of their customers. The records concern clients from all around the globe, as the company has a presence in 30 different countries through its subsidiaries. As we discussed only two days ago, when we presented the LabCorp breach, the company responsible for this mess is AMCA (American Medical Collection Agency). AMCA has been breached by hackers, and since the company has many collaborators, we will keep seeing news like this surface every day.
Last week, it was LabCorp with 7.7 million customers and a couple of days earlier than that it was Quest Diagnostics with 12 million patient data. This makes the OPKO Health number of exposed people pale in comparison to the above, but 422.6k records are by no means a laughable amount, especially when it concerns highly sensitive diagnostics or even payment information. According to the information that surfaced through the filing with the U.S. Securities and Exchange Commission . . . , the customer data that was leaked to the public includes patient name, DoB, address, phone, date of service, provider, and balance information. [Emphasis added.]
In a recent Form 8-K Filing, OPKO Health, Inc. disclosed the following:
On or around June 3, 2019, BioReference Laboratories, Inc. (“BioReference”), a subsidiary of OPKO Health Inc. (the “Company”), was notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (“AMCA”) about unauthorized activity on AMCA’s web payment page (the “AMCA Incident”). AMCA is an external collection agency that has been used in the past by BioReference and other healthcare companies. According to AMCA, the unauthorized activity occurred between August 1, 2018, and March 30, 2019. AMCA has advised BioReference that data for approximately 422,600 patients for whom BioReference performed testing was stored in the affected AMCA system. AMCA advised that AMCA’s affected system includes information provided by BioReference that may have included patient name, date of birth, address, phone, date of service, provider, and balance information. In addition, the affected AMCA system also included credit card information, bank account information (but no passwords or security questions) and email addresses that were provided by the consumer to AMCA. AMCA has advised BioReference that no Social Security Numbers were compromised, and BioReference provided no laboratory results or diagnostic information to AMCA. BioReference has not been able to verify the accuracy of the information received from AMCA.
AMCA advised BioReference that it is sending notices to approximately 6,600 patients for whom BioReference performed laboratory testing and whose credit card or bank account information was stored in AMCA’s affected system. AMCA indicated that it will provide these affected patients with more specific information about the AMCA Incident in addition to offering them identity protection and credit monitoring services for 24 months. AMCA has not yet provided BioReference a list of the affected patients or more specific information about them. AMCA has advised BioReference that AMCA is providing notice to state attorneys general and other state agencies as required by applicable state data breach laws.
AMCA has reported to BioReference that it is continuing to investigate this incident, has reported the AMCA Incident to law enforcement and has taken steps to increase the security of its systems, processes, and data, including shutting down its web payments page, migrating it to a third-party vendor, and hiring a cybersecurity firm to implement various safeguards to increase security. BioReference and the Company take data security very seriously, including the security of data handled by vendors. BioReference is currently seeking to obtain more information from AMCA and plans to promptly take additional steps as may be appropriate once more is known about the AMCA Incident.
BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA. In addition, BioReference has requested that AMCA cease continuing to work on any pending collection requests involving BioReference patients. [Emphasis added.]
Jun 5, 2019 | Consumer Protection, Employment & Technology Archive
On June 4, 2019, USA TODAY reported that
“[a] day after Quest Diagnostics announced 12 million patients were affected by a data breach, another medical testing company says its patients’ data was also compromised.
In a filing with the U.S. Securities and Exchange Commission on Tuesday, LabCorp. said “approximately 7.7 million consumers” are affected by a breach at third-party collections firm American Medical Collection Agency, also known as AMCA. [Emphasis added.]
LabCorp’s Form 8-K filed with the SEC disclosed the following:
In response to questions it has received, LabCorp® (NYSE: LH) announced that it has been notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (AMCA) about unauthorized activity on AMCA’s web payment page (the AMCA Incident). According to AMCA, this activity occurred between August 1, 2018, and March 30, 2019. AMCA is an external collection agency used by LabCorp and other healthcare companies. LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance). LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.
AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.
AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. LabCorp takes data security very seriously, including the security of data handled by vendors. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months. LabCorp is working closely with AMCA to obtain more information and to take additional steps as may be appropriate once more is known about the AMCA Incident.
In response to initial notification of the AMCA Incident, LabCorp ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers. [Emphasis added.]
Jun 3, 2019 | Consumer Protection, Employment & Technology Archive
On June 3, 2019, Quest Diagnostics filed a Form 8-K with the SEC which stated:
On May 14, 2019, American Medical Collection Agency (AMCA), a billing collections vendor, notified Quest Diagnostics Incorporated (“Quest Diagnostics”) and Optum360 LLC, Quest Diagnostics’ revenue cycle management provider, of potential unauthorized activity on AMCA’s web payment page. Quest Diagnostics and Optum360 promptly sought information from AMCA about the incident, including what, if any, information was subject to unauthorized access. Although Quest Diagnostics and Optum360 have not yet received detailed or complete information from AMCA about the incident, AMCA has informed Quest Diagnostics and Optum360 that:
- between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself;
- the information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers);
- as of May 31, 2019, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people; and
- AMCA has been in contact with law enforcement regarding the incident.
Quest Diagnostics has not been able to verify the accuracy of the information received from AMCA.
Quest Diagnostics’ laboratory test results were not provided to AMCA and were therefore not impacted by this incident. [Emphasis added.]
According to Forbes.com, this data breach is ” . . . a significantly bigger security breach than the one Quest experienced in late 2016. In that incident, the health information of 34,000 customers was breached.”
Jun 3, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, People Inc., “Western New York’s leading non-profit human services agency,” published a news release on its website advising that People Inc. “. . . learned of a data security incident that involved protected health information belonging to certain current and former clients. On May 29, 2019, People Inc. notified potentially impacted individuals and provided resources to assist them.”
According to the People Inc. news release:
On February 19, 2019, People Inc. discovered that an unknown individual had gained access to an email account belonging to a People Inc. employee. Upon learning this information, People Inc. immediately reset the password required to access the impacted account. People Inc. also engaged an independent forensics firm to determine what happened and whether personal information was accessed or acquired without authorization as a result of this incident. Through this investigation, People Inc. learned that an email account belonging to a second employee may have been impacted as well. That account is no longer operational. On April 11, 2019, as a result of this investigation, People Inc. learned that the two email accounts contained personal information belonging to some current and former clients. This personal information may have included names, addresses, Social Security numbers, financial account information, medical information, health insurance information, and/or driver’s license or other government identification numbers.
People Inc. takes the security of all information very seriously. People Inc. has no evidence indicating that any information aside from the information contained within the two employee email accounts was impacted in connection with this incident. In addition, People Inc. has no evidence that any of the information potentially involved in this incident has been misused. People Inc. has reported this matter to the FBI and will cooperate as necessary to hold the perpetrators accountable.
Notification letters were sent to all potentially impacted individuals on May 29, 2019. The letters include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their personal information. People Inc. has established a toll-free call center to answer questions about the incident and to address related concerns. The call center can be reached at 855-579-3669. In addition, as a precaution, People Inc. is offering complimentary identity protection services through Experian to potentially impacted individuals. To determine if you qualify for this service, you must obtain verification through the call center. If you have been impacted, information on how to enroll for this service will be made available to you. [Emphasis added.]
