On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as email addresses, phone numbers, dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA. While the initial estimate suggested approximately 10,000 victims, later research uncovered that the exposure window lasted for at least eight months and affected over 200,000 victims. These records are continually being added to the dark web, as of this writing.
On March 1, 2019, Gemini Advisory made several unsuccessful attempts to contact AMCA in order to alert the victims. Later that day, Gemini successfully provided its findings to Federal Law Enforcement.
Databreaches[.]net published an article announcing this breach on May 10, 2019, relying on information provided by Gemini Advisory. Several days before publishing, Databreaches reached out to AMCA with questions about this incident, but did not receive a response. However, AMCA was clearly aware of an issue, as evidenced by its inactive payment portal.
While having payment card data compromised can be highly inconvenient for the victim, compromises such as AMCA’s that involve PII (e.g., DOB and SSN) can carry far more severe consequences for affected cardholders. This information can be leveraged to gain full access to online banking and card accounts, establish synthetic identities, or design social engineering schemes. The compromised data stolen from AMCA has been posted to top-tier dark web marketplaces and is now accessible to veteran cybercriminals.
In a medical breach, more than just personal debit and credit cards are vulnerable. Health Savings Accounts (HSAs) are often tied to specialized debit cards that are used to make medical-based payments but can also be used for regular purchases at the cost of a severe tax penalty. Account holders often only periodically use HSAs due to the incentives for accumulating funds that can later be withdrawn without any penalties during retirement, meaning that they are likely not as closely monitored for any daily unauthorized activities. Thus, they make easier targets for criminal actors who attempt to monetize the compromised data from medical breaches such as AMCA’s.
On June 3, 2019, ABC News reported that AMCA had informed medical testing company Quest Diagnostics that data from 11.9 million of its patients may have been impacted by this breach, admitting that “an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest.” According to AMCA, the compromised data includes personal information such as financial data, SSNs, and medical information, but no laboratory test results; these findings align with Gemini’s research, although analysts have not discovered any medical information offered for sale. Since Quest Diagnostics is only one of AMCA’s partners, the true number of affected patients may be far higher than 11.9 million. AMCA may thus be the largest medical breach in 2019.
Optum360, a Quest contractor that receives billing collection services from AMCA, is reportedly also coordinating with the forensic investigation. As evidence of the severity of the breach, Optum360 has suspended sending collection requests to AMCA. The contractor is reportedly waiting for full information about which individuals’ records have been compromised and has not yet verified the accuracy of the information provided by AMCA.
While AMCA has informed Quest that 11.9 million customers may have been affected, Gemini Advisory can only verify around 200,000 compromised payment records related to the breach at this time, although more records are continually being added to dark web marketplaces. Analysts will continue to monitor this breach as public acknowledgement continues and AMCA releases further information.
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.