AMCA Breach May Be Largest Medical Breach in 2019

June 4, 2019

Key Findings

  • On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards in the dark web containing personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses.  
  • A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections.
  • Databreaches[.]net published an article announcing this breach on May 10, relying on information provided by Gemini Advisory. It reached out to AMCA with questions about this incident, but did not receive a response.
  • On June 3, ABC News reported that AMCA had informed medical testing company Quest Diagnostics that data from 11.9 million of its patients may have been impacted by this breach.
  • While AMCA has informed Quest that 11.9 million customers may have been affected, Gemini Advisory can only verify around 200,000 compromised payment records related to the breach at this time, although more records are continually being added to dark web marketplaces.

Background

On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as email addresses, phone numbers, dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA. While the initial estimate suggested approximately 10,000 victims, later research uncovered that the exposure window lasted for at least eight months and affected over 200,000 victims. These records are continually being added to the dark web, as of this writing.

On March 1, 2019, Gemini Advisory made several unsuccessful attempts to contact AMCA in order to alert the victims. Later that day, Gemini successfully provided its findings to Federal Law Enforcement.

In-Depth Analysis

Impact

Databreaches[.]net published an article announcing this breach on May 10, 2019, relying on information provided by Gemini Advisory. Several days before publishing, Databreaches reached out to AMCA with questions about this incident, but did not receive a response. However, AMCA was clearly aware of an issue, as evidenced by its inactive payment portal.

Image 1: AMCA’s payment portal was offline as of April 8, 2019, and remained offline for several weeks.

While having payment card data compromised can be highly inconvenient for the victim, compromises such as AMCA’s that involve PII (e.g., DOB and SSN) can carry far more severe consequences for affected cardholders. This information can be leveraged to gain full access to online banking and card accounts, establish synthetic identities, or design social engineering schemes. The compromised data stolen from AMCA has been posted to top-tier dark web marketplaces and is now accessible to veteran cybercriminals.

In a medical breach, more than just personal debit and credit cards are vulnerable. Health Savings Accounts (HSAs) are often tied to specialized debit cards that are used to make medical-based payments but can also be used for regular purchases at the cost of a severe tax penalty. Account holders often only periodically use HSAs due to the incentives for accumulating funds that can later be withdrawn without any penalties during retirement, meaning that they are likely not as closely monitored for any daily unauthorized activities. Thus, they make easier targets for criminal actors who attempt to monetize the compromised data from medical breaches such as AMCA’s.

Image 2: The top 10 states containing the billing addresses of cardholders affected by the AMCA breach.

Response

On June 3, 2019, ABC News reported that AMCA had informed medical testing company Quest Diagnostics that data from 11.9 million of its patients may have been impacted by this breach, admitting that “an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest.” According to AMCA, the compromised data includes personal information such as financial data, SSNs, and medical information, but no laboratory test results; these findings align with Gemini’s research, although analysts have not discovered any medical information offered for sale. Since Quest Diagnostics is only one of AMCA’s partners, the true number of affected patients may be far higher than 11.9 million. AMCA may thus be the largest medical breach in 2019.

Optum360, a Quest contractor that receives billing collection services from AMCA, is reportedly also coordinating with the forensic investigation. As evidence of the severity of the breach, Optum360 has suspended sending collection requests to AMCA. The contractor is reportedly waiting for full information about which individuals’ records have been compromised and has not yet verified the accuracy of the information provided by AMCA.

While AMCA has informed Quest that 11.9 million customers may have been affected, Gemini Advisory can only verify around 200,000 compromised payment records related to the breach at this time, although more records are continually being added to dark web marketplaces. Analysts will continue to monitor this breach as public acknowledgement continues and AMCA releases further information.

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

The "AMCA Breach May Be Largest Medical Breach in 2019" report analyzes the breach of an online medical portal and the related compromised payment information and personally identifiable information (PII), including dates of birth (DOBs) and Social Security numbers (SSNs). It covers the AMCA statement to Quest Diagnostics that 11.9 million patients' data may have been compromised and compares that to verified payment records posted to the dark web. This hack may the largest medical breach of 2019. 

%d bloggers like this: