Up to 7.7 million LabCorp patients may have had personal data exposed as a result of a massive breach at a third-party billing collection agency.
LabCorp disclosed the breach in a filing with the U.S. Securities and Exchange Commission on Tuesday, one day after Quest Diagnostics announced nearly 12 million of its patients had data exposed in the same incident.
The vendor, American Medical Collection Agency, said an unauthorized user had accessed its web payment system between August 2018 and March 2019. The breached system held data on 7.7 million LabCorp patients, including some demographic and financial information, but not laboratory test results, according to the filing.
AMCA does not store Social Security numbers for LabCorp patients, according to the collection agency. In its announcement Monday, Quest said the breach may have exposed some of its patients' Social Security numbers.
AMCA told LabCorp it is sending notices to 200,000 LabCorp patients whose credit card or bank account information may have been accessed in the breach. AMCA is providing those patients with more specific information about the incident, as well as two years of identity protection and credit monitoring services.
AMCA did not immediately respond to a request for comment on the disparity between the 7.7 million and 200,000 figures.
LabCorp said AMCA has not yet provided it with a list of affected patients.
"LabCorp is working closely with AMCA to obtain more information and to take additional steps as may be appropriate once more is known about the AMCA incident," LabCorp wrote in its filing.
LabCorp, like Quest, has suspended sending collection requests to AMCA.
AMCA has said its investigation into the cybersecurity incident is ongoing.
In an emailed statement Monday, AMCA said it was taking steps to increase the security of its systems, including migrating its web payment portal services to a third-party vendor. The company said it is also working with outside experts to improve its security.
