Information security audit specialists reported a data breach incident in the major clinical company Quest Diagnostics that occurred last Monday; according to the company, an unauthorized actor obtained access to the records (including medical and financial data) of nearly 12 million of the company’s clients.
The news of the incident began to spread after Quest filed a notification to the Securities and Exchange Commission about a security breach in the systems of the American Medical Collection Agency (AMCA) collection company; Quest would have reported that AMCA’s payment web page could have been compromised from August 2018 to March 30.
In the notification, Quest mentions that the compromised information includes data such as Social Security numbers and financial details; the good news is that the results of the laboratory analyses of the company’s clients were not affected.
AMCA published a statement in which it mentions that the company began an information security audit after receiving an alert on a possible security breach in a compliance company that works with credit card groups.
Information security audit specialists believe that data breaches have increased in scope and frequency in recent months, and health-sector companies have become one of the main targets of threat actors looking to earn profits from stealing personal data.
According to specialists from the International Institute of Cyber Security (IICS), hackers attack the collection and billing companies hoping to find the financial information collected by contracting companies from the collections firms. Moreover, although it is not yet clear how a hacker could profit from people’s health information, experts are concerned about the relative ease with which malicious actors access this information, either directly or exploiting vulnerabilities in partner companies.
On previous occasions, hackers do not even have to work too hard to access these medical and financial records, as the companies in charge of their protection make basic security errors, exposing them to servers and databases without the necessary protective measures.