Jun 7, 2019 | Consumer Protection, Employment & Technology Archive
On June 6, 2019, Bleepingcomputer.com reported that “Medical tests and medication firm OPKO Health Inc present in over 30 countries says that one of its subsidiaries, BioReference Laboratories Inc, was notified by American Medical Collection Agency (AMCA) of unauthorized activity on its web payment page.”
Bleepingcomputer.com also reported that:
This new breach notification follows previous breach reports received by diagnostic services provider Quest Diagnostics Incorporated and Laboratory Corporation of America Holdings (LabCorp) from AMCA.
In these two breaches alone, roughly 19 million of their customers having been impacted by unauthorized access to the companies’ data stored on AMCA’s systems. [Emphasis added.]
On June 7, 2019, TechNadu.com reported the following:
OPKO Health Inc., the Miami-based medical products, diagnostics, and pharmaceuticals company has announced a customer data breach that affects about 422600 of their customers. The records concern clients from all around the globe, as the company has a presence in 30 different countries through its subsidiaries. As we discussed only two days ago, when we presented the LabCorp breach, the company responsible for this mess is AMCA (American Medical Collection Agency). AMCA has been breached by hackers, and since the company has many collaborators, we will keep seeing news like this surface every day.
Last week, it was LabCorp with 7.7 million customers and a couple of days earlier than that it was Quest Diagnostics with 12 million patient data. This makes the OPKO Health number of exposed people pale in comparison to the above, but 422.6k records are by no means a laughable amount, especially when it concerns highly sensitive diagnostics or even payment information. According to the information that surfaced through the filing with the U.S. Securities and Exchange Commission . . . , the customer data that was leaked to the public includes patient name, DoB, address, phone, date of service, provider, and balance information. [Emphasis added.]
In a recent Form 8-K Filing, OPKO Health, Inc. disclosed the following:
On or around June 3, 2019, BioReference Laboratories, Inc. (“BioReference”), a subsidiary of OPKO Health Inc. (the “Company”), was notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (“AMCA”) about unauthorized activity on AMCA’s web payment page (the “AMCA Incident”). AMCA is an external collection agency that has been used in the past by BioReference and other healthcare companies. According to AMCA, the unauthorized activity occurred between August 1, 2018, and March 30, 2019. AMCA has advised BioReference that data for approximately 422,600 patients for whom BioReference performed testing was stored in the affected AMCA system. AMCA advised that AMCA’s affected system includes information provided by BioReference that may have included patient name, date of birth, address, phone, date of service, provider, and balance information. In addition, the affected AMCA system also included credit card information, bank account information (but no passwords or security questions) and email addresses that were provided by the consumer to AMCA. AMCA has advised BioReference that no Social Security Numbers were compromised, and BioReference provided no laboratory results or diagnostic information to AMCA. BioReference has not been able to verify the accuracy of the information received from AMCA.
AMCA advised BioReference that it is sending notices to approximately 6,600 patients for whom BioReference performed laboratory testing and whose credit card or bank account information was stored in AMCA’s affected system. AMCA indicated that it will provide these affected patients with more specific information about the AMCA Incident in addition to offering them identity protection and credit monitoring services for 24 months. AMCA has not yet provided BioReference a list of the affected patients or more specific information about them. AMCA has advised BioReference that AMCA is providing notice to state attorneys general and other state agencies as required by applicable state data breach laws.
AMCA has reported to BioReference that it is continuing to investigate this incident, has reported the AMCA Incident to law enforcement and has taken steps to increase the security of its systems, processes, and data, including shutting down its web payments page, migrating it to a third-party vendor, and hiring a cybersecurity firm to implement various safeguards to increase security. BioReference and the Company take data security very seriously, including the security of data handled by vendors. BioReference is currently seeking to obtain more information from AMCA and plans to promptly take additional steps as may be appropriate once more is known about the AMCA Incident.
BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA. In addition, BioReference has requested that AMCA cease continuing to work on any pending collection requests involving BioReference patients. [Emphasis added.]
Jun 5, 2019 | Consumer Protection, Employment & Technology Archive
On June 4, 2019, USA TODAY reported that
“[a] day after Quest Diagnostics announced 12 million patients were affected by a data breach, another medical testing company says its patients’ data was also compromised.
In a filing with the U.S. Securities and Exchange Commission on Tuesday, LabCorp. said “approximately 7.7 million consumers” are affected by a breach at third-party collections firm American Medical Collection Agency, also known as AMCA. [Emphasis added.]
LabCorp’s Form 8-K filed with the SEC disclosed the following:
In response to questions it has received, LabCorp® (NYSE: LH) announced that it has been notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (AMCA) about unauthorized activity on AMCA’s web payment page (the AMCA Incident). According to AMCA, this activity occurred between August 1, 2018, and March 30, 2019. AMCA is an external collection agency used by LabCorp and other healthcare companies. LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp. That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance). LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.
AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.
AMCA has indicated that it is continuing to investigate this incident and has taken steps to increase the security of its systems, processes, and data. LabCorp takes data security very seriously, including the security of data handled by vendors. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months. LabCorp is working closely with AMCA to obtain more information and to take additional steps as may be appropriate once more is known about the AMCA Incident.
In response to initial notification of the AMCA Incident, LabCorp ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers. [Emphasis added.]
Jun 3, 2019 | Consumer Protection, Employment & Technology Archive
On June 3, 2019, Quest Diagnostics filed a Form 8-K with the SEC which stated:
On May 14, 2019, American Medical Collection Agency (AMCA), a billing collections vendor, notified Quest Diagnostics Incorporated (“Quest Diagnostics”) and Optum360 LLC, Quest Diagnostics’ revenue cycle management provider, of potential unauthorized activity on AMCA’s web payment page. Quest Diagnostics and Optum360 promptly sought information from AMCA about the incident, including what, if any, information was subject to unauthorized access. Although Quest Diagnostics and Optum360 have not yet received detailed or complete information from AMCA about the incident, AMCA has informed Quest Diagnostics and Optum360 that:
- between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself;
- the information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers);
- as of May 31, 2019, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people; and
- AMCA has been in contact with law enforcement regarding the incident.
Quest Diagnostics has not been able to verify the accuracy of the information received from AMCA.
Quest Diagnostics’ laboratory test results were not provided to AMCA and were therefore not impacted by this incident. [Emphasis added.]
According to Forbes.com, this data breach is ” . . . a significantly bigger security breach than the one Quest experienced in late 2016. In that incident, the health information of 34,000 customers was breached.”
Jun 3, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, People Inc., “Western New York’s leading non-profit human services agency,” published a news release on its website advising that People Inc. “. . . learned of a data security incident that involved protected health information belonging to certain current and former clients. On May 29, 2019, People Inc. notified potentially impacted individuals and provided resources to assist them.”
According to the People Inc. news release:
On February 19, 2019, People Inc. discovered that an unknown individual had gained access to an email account belonging to a People Inc. employee. Upon learning this information, People Inc. immediately reset the password required to access the impacted account. People Inc. also engaged an independent forensics firm to determine what happened and whether personal information was accessed or acquired without authorization as a result of this incident. Through this investigation, People Inc. learned that an email account belonging to a second employee may have been impacted as well. That account is no longer operational. On April 11, 2019, as a result of this investigation, People Inc. learned that the two email accounts contained personal information belonging to some current and former clients. This personal information may have included names, addresses, Social Security numbers, financial account information, medical information, health insurance information, and/or driver’s license or other government identification numbers.
People Inc. takes the security of all information very seriously. People Inc. has no evidence indicating that any information aside from the information contained within the two employee email accounts was impacted in connection with this incident. In addition, People Inc. has no evidence that any of the information potentially involved in this incident has been misused. People Inc. has reported this matter to the FBI and will cooperate as necessary to hold the perpetrators accountable.
Notification letters were sent to all potentially impacted individuals on May 29, 2019. The letters include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their personal information. People Inc. has established a toll-free call center to answer questions about the incident and to address related concerns. The call center can be reached at 855-579-3669. In addition, as a precaution, People Inc. is offering complimentary identity protection services through Experian to potentially impacted individuals. To determine if you qualify for this service, you must obtain verification through the call center. If you have been impacted, information on how to enroll for this service will be made available to you. [Emphasis added.]
May 31, 2019 | Consumer Protection, Employment & Technology Archive
Kehoe Law Firm, P.C. is making consumers aware that on May 28, 2019, a class action complaint alleging violations of the Telephone Consumer Protection Act (“TCPA”) was filed in United States District Court for the Northern District of Georgia, Atlanta Division, against T-Mobile USA, Inc. (“T-Mobile”) “. . . challeng[ing] T-Mobile’s practice of sending unsolicited text message calls for telemarketing purposes without instituting procedures for maintaining a list of persons who request not to receive such text message calls.”
The Plaintiff, according to the complaint, “. . . signed up for T-Mobile’s cellular service in December 2018.[] Since then, he has repeatedly received text message calls—including texts for telemarketing purposes. On multiple occasions, Plaintiff asked T-Mobile to stop sending his family and him text message calls, but T-Mobile has not stopped. In fact, T-Mobile responded that it is unable to stop its ‘system-generated’ text message calls.” [NOTE: The class action complaint notes that the Plaintiff opted out of T-Mobile’s arbitration procedures for dispute resolution in January 2019.]
According to the complaint:
Shortly after receiving the first unwanted text message call from T-Mobile in December, Plaintiff accessed his account preferences to opt out of all alerts and messaging from T-Mobile, but continued to receive text message calls from T-Mobile.
In or around late December, Plaintiff called T-Mobile customer service and asked T-Mobile to stop sending the text message calls, but continued to receive text message calls after contacting T-Mobile customer service.
On or around January 8, Plaintiff sent an email to T-Mobile’s CEO, John Legere, requesting that T-Mobile stop sending him unwanted text message calls.
A representative from Mr. Legere’s office responded and informed Plaintiff that the text message calls are automated and T-Mobile is unable to stop them from being sent. The representative, however, promised to take Plaintiff off the list for marketing text message calls.
After this exchange with the CEO’s representative, Plaintiff continued to receive marketing text message calls from T-Mobile.
Plaintiff sent another email to Mr. Legere’s office, again requesting that the text message calls stop.
The same customer service representative responded by email on January 12 and explained:
“System generated text messages from T-Mobile are intended to let you know of the benefits that are available to you. As we previously discussed, we are unable to stop our system from sending generated texts about your service. Please know that this is common upon activating new service and does stop with time.”
Consistent with these statements, Plaintiff still continues to receive T-Mobile text message calls. The text message calls are not limited to texts about his cellular service. He also continues to receive text message calls about promotional offers from T-Mobile. [Emphasis added.]
Additionally, the complaint alleges that “T-Mobile is aware of the TCPA’s requirement that it cannot send telemarketing text message calls without instituting procedures for maintaining a list of persons who have requested not to receive such text message calls and procedures for honoring those requests.”
Do You Believe You Are a Victim of Illegal Robocalls, Text Messages, “Junk” Faxes or Telemarketing Sales Calls?
If you have received illegal robocalls, text messages, “junk” faxes or telemarketing sales calls, you may be able to recover at least $500 for each illegal call, text or fax you received and, possibly, as much as $1,500 for each illegal call, text message or facsimile that was made either willfully or knowingly in violation of the Telephone Consumer Protection Act.
To help evaluate your potential legal claims under the Telephone Consumer Protection Act, please complete KLF’s confidential Robocall Questionnaire or, if you prefer to speak with an attorney, please complete the form above on the right, e-mail [email protected] or contact Michael Yarnoff, Esq., [email protected], (215) 792-6676, Ext. 804, for a free, no-obligation evaluation of your potential legal rights.
May 30, 2019 | Consumer Protection, Employment & Technology Archive
On May 30, 2019, williamsonsource.com reported that “First American Financial Corp.’s website was unknowingly exposing up to 885 million files related to real estate title insurance records dating from 2003 to 2019.” Further, reportedly, “[a]nyone with a URL for a valid document could view other documents by modifying a single digit in the URL. Viewing another document did not require authentication.”
According to williamsonsource.com, the data exposed by the website consisted of Social Security numbers, driver’s license images, wire transaction receipts, bank account numbers and statements, and mortgage and tax records.
The difference between a data exposure or data leak and a data breach, according to williamsonsource.com is that “[i]n a breach, unauthorized access to sensitive information is intentional. In a data exposure like this one, the sensitive information is left out in the open, often because improper security measures were used.”
As previously reported, New York’s Department of Financial Services is investigating the security vulnerability, and, recently, a class action complaint was filed in United States District Court, Central District of California, against First American Financial Corporation and First American Title Company (collectively, “First American”) alleging, among other things, that First American, “[d]espite explicitly promising customers robust data security as part of the high cost of services, . . . allowed anyone to access the sensitive files of millions of customers.”
