June 4, 2019

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Just a few days ago, the news was all about how Quest had suffered a major breach. But today’s disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident: The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.

In a filing today with the U.S. Securities and Exchange Commission, LabCorp. said it learned that the breach at AMCA persisted between Aug. 1, 2018 and March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance),” the filing reads. “LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

LabCorp further said the AMCA has informed LabCorp “it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.”

The LabCorp disclosure comes just days after competing lab testing firm Quest Diagnostics disclosed that the hack of AMCA exposed the personal, financial and medical data on approximately 11.9 million patients.

Quest said it first heard from the AMCA about the breach on May 14, but that it wasn’t until two weeks later that AMCA disclosed the number of patients affected and what information was accessed, which includes financial information (e.g., credit card numbers and bank account information), medical information and Social Security Numbers.

Quest says it has since stopped doing business with the AMCA and has hired a security firm to investigate the incident. Much like LabCorp, Quest also alleges the AMCA still hasn’t said which 11.9 million patients were impacted and that the company was withholding information about the incident.

The AMCA declined to answer any questions about whether the breach of its payment’s page impacted anyone who entered payment data into the company’s site during the breach. But through an outside PR firm, it issued the following statement:

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” reads a written statement attributed to the AMCA. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”

The statement continues:

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

ANALYSIS

The AMCA also does business under the name “Retrieval-Masters Creditors Bureau,” a company that has been in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed.

A search on the company’s name at the complaints page of the Consumer Financial Protection Bureau (CFPB) turns up almost 700 complaints for Retrieval-Masters. The company has an abysmal “F” rating from the Better Business Bureau, with 60 complaints closed against it in the last three years.

Reviewing a number of those complaints reveals some of the AMCA’s other current and/or previous clients, including New Jersey’s EZPass system. Recent consumer complaints about the AMCA also invoke the name of American Traffic Solutions, which services rental car fleets and processes some 50 million toll transactions per year. ATS did not respond to requests for comment.

My guess is we will soon hear about many other companies and millions more consumers impacted by this breach at the AMCA. Certainly, companies like Quest and LabCorp. have a duty to ensure contractors are properly safeguarding their patients’ personal, medical and financial information.

But this AMCA incident is the latest example of a breach at a little-known company that nevertheless holds vast quantities of sensitive data that was being shared or stored in ways that were beyond the control of affected consumers.

On May 24, KrebsOnSecurity broke the news that the Web site for Fortune 500 real estate title insurance giant First American Financial [NYSE:FAF] leaked 885 million documents related to mortgage deals going back to 2003, until notified by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

Many readers wrote in to say they’d never heard of First American, but it is the largest title insurance company in the United States. Title insurance is generally required for all home mortgages, and it protects the buyer from any previously unknown claims against the property. First American currently handles about one in every four title insurance transactions — usually as part of the mortgage closing process — which means tens of millions of Americans were potentially exposed by the company’s inexplicably lax security.


47 thoughts on “LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

  1. Dissent

    Hi Brian,

    The breach was first discovered by Gemini Advisory on Feb. 28. They tried unsuccessfully — several times, they tell me — to notify AMCA. Gemini then contacted LE and notified LE.

    The breach was first reported on DataBreaches.net on May 10: https://www.databreaches.net/american-medical-collection-agency-breach-impacted-200000-patients-gemini-advisory/

    Interesting coincidence, perhaps, that AMCA is notifying 200,000 LabCorp patients about card number or bank account exposure. Gemini had found 200,000 cards up for sale on a top-tier market, but 15% of those card had SSN, DOB, or other PII. AMCA told LabCorp that they don’t store LabCorp patients’ SSN, so maybe the 200,000 cards found up for sale in February weren’t from LabCorp but from some other client or combination of clients.

    Either way, I do think we have only seen the tip of a huge iceberg….

  2. medicalquack

    Thanks Brian for your coverage here. After the Quest story broke yesterday I reminded all that LabCorp also uses that same collection agency, and here’s your story:)

    We should also remember that Optum 360, a subsidiary of United Healthcare does all the Quest billing too so they’re in here too. Most folks don’t pay attention to what goes on in subsidiaries but they should as that’s where the action happens, in places where people won’t bother to look or educate themselves, been going on for years, as I keep singing, “its so easy to cheat with code, so doggone easy, so easy…”..and thank goodness all coders don’t cheat but there’s enough that do, to include hackers.

    I keep saying before we can have any privacy and accountability, we need to index and license the data sellers/sharers, so we know who they are. How do you regulate this business when folks don’t know who they are outside of the big ones, and this story drives that fact home again. For anyone who wants to toss me a bone, it’s here. I’ve been after this for about 10 years, written to lawmakers and then some. I’ve written enough about the healthcare data sellers for sure in post after post after post. You don’t know what’s going on on the back end and what code is executing, all that is seen as a user, is the front end and people mistake those clicks for being the entire code show and I can’t tell you how wrong you are, there’s more code in black boxes at back ends than Carter has pills.

    https://gogetfunding.com/index-and-license-all-data-sellerssharers-in-the-us/

    Again, after I tweeted that yesterday reminding folks that LabCorp uses the same collection agency, here’s the story at Krebs! Thanks for all you do.

  3. Roger Sweatan

    American Traffic Solutions is well known for making under-the-table payments to municipality officials to shorten the leeway on the red light cameras it manages to get installed to grift citizens. In some cases, they’ve actually bribed them to shorten the time that one can be ‘in the red’ leaving an intersection to 0 seconds.

  4. Belli

    Well, I’ve personally known about these breaches (Quest and LabCorp) for several weeks now, which is why I have been wondering in earlier articles’ comments here (on other breaches) why Brian was seeing, hearing and/or reporting about health-care leaks.

    But, with sad news, this Quest/LabCorp is only a minnow in the bucket that is coming: the huge medical agglomerations of hospital chains and certain huge insurance companies, when they finally come clean with what we’ve been warning them for months now, is going to surpass what happened with Equifax & nearly everything else.

    For criminals, the linking of health care info to everything else that has been breached/exposed in the past few years, and the combining of data bases, opens up a whole new game on the holding someone & someones hostage to ransom. Use your imagination…and you still won’t imagine the horror that will/might be done.

    I’m hoping, since this will hit State and Federal Congress members too, that they finally get off their collective duffs and start getting serious about both oversight and mandating huge fines to companies that continue to neglect protecting entrusted, private citizen info.

    …….the melee to come, good heavens, I deeply feel for anyone that has a personal condition that needed to forever remain quiet & personal…… ;-(

    1. Dave

      Agree. I’d like the extra step of holding C-suits legally responsible for negligence when found. Otherwise, those fines just get passed on to consumers and C-suits are like “oh well”.

  5. George G.

    Title Insurance = legal racket.
    Just read all the exceptions and exclusions on the policy.

    Also:
    I bought home with 5 yr. loan and paid for title insurance.
    When the 5 yrs were up I applied for a longer term mortgage. The bank insisted that I buy title insurance again. Why should I, since it is the same home that I have owned and on which I already took out title insurance ?
    The bank did not relent. Neither did I. Sold stock and paid off what I still owed on the home.

    1. Michael M

      Just like any insurance, there are stipulations. It looks like in your case they were unacceptable so you chose not to participate, good on you.

      The problem with your example is that someone could have quick claimed the title to the house and then locked it in a safe deposit box and then claimed it at nearly any point in the future, the bank is just protecting their assets.
      For you as a home owner there is little chance of that happening, but for the bank as the lien holder for thousands of titles it will happen numerous times. Title Insurance protects both the bank and the owner from undue loss due to a poor chain of custody of the title.
      This isn’t even counting the number of shady people who will try and game the system by quick claiming the title to a relative then try and have the relative claim title against the house defrauding the bank primary security of the loan.

      1. George G.

        Then maybe the bank should absorb the cost of title insurance.

        In any case, if one reads the contract one finds so many disclaimers and conditions under which there is no coverage by the insurance that one has to wonder if the insurance is really designed for anything else but squeezing money out of the customer.

    2. peter

      Requiring insurance is actually quite standard even in a re-fi. But most title companies will re-issue insurance for a small fee. Much less than the initial fee.

  6. dave

    Brian, seeing how they handled credit cards, how does the PCI-DSS fit into this? It is not a legal requirement, but the major CC vendors, I thought, pretty much enforced compliance. Was PCI-DSS followed? If not, that would be due negligence, perhaps by both AMCA and the major CC companys. If so, is the PCI-DSS not secure enough?

    I hope you have contacts with the investigating 3rd party security firm to report back on how the breach occurred.

    1. AnonPCIQSA

      They may have been required to be PCI-DSS compliant if they processed cards. There are many ways to be validated as “compliant”. If their volume was lower than 6M transactions/yr they could Self Assess. That could mean they did a good job or a bad job at that assessment of security and compliance. Even if they had a 3rd party do the assessment, companies can hide information from assessors or just quit doing good security as soon as the assessment is over. So, it is not necessarily the PCI-DSS that would be at “fault” there. That set of requirements is a really pretty good set of controls for protecting data and systems but it has to be followed continuously and honestly. Not sure how you force entities to be altruistic in security without a whole lot more cost and monitoring…may not be realistic. Lets all just be vigilant, informed, and then secure…. 🙂

  7. LynnLea

    As an employee of Labcorp, I’m very curious as to how anyone’s ssn was compromised as I’ve never asked for one in 7 years of employment with them. Credit Card numbers are immediately encrypted and not stored.

    If your ssn is on file, it’s because your physician submitted it, not because it was asked for. Have your doctor’s employees remove your ssn from any electronic documents that leave their office. Give them the request in writing and don’t back down on it.

    1. Joe

      Maybe not in your department. But SSN are used in billing all the time. It is how you bill many insurance carriers too, as they may not have a separate identifier other than SSN. It is also necessary for collections.

      Not sure you would really know how sensitive data like CC numbers are stored on the back end.
      Yes, encryption is used… but often just for transmission.
      And even when encrypted at rest at the payment processing agent, the decryption key is often stored right along side it so it can be used again. Otherwise, the card could only be used once. It may be encrypted in your office, but copies have to exist.

      Also, liability and responsibility are not absolved just because you didn’t ask for the information. There needs to be a data privacy policy and process established for immediate redaction of sensitive information that isn’t needed.
      Yes, redaction makes your job more difficult… but it is still your responsibility.

      If someone gave you a request in writing, to redact information that wasn’t needed… would you? Would that request even reach the right person?

      Bottom line, is that patients don’t review every document flowing between the doctor’s and 3rd parties… nor should they need to.

    2. KIDD

      If you received it, it’s your duty to protect it. Doesn’t matter if doctors sent or not. SIMPLE AS THAT!!!

    3. Name-retained

      Your comment astounds! Clearly you believe your position with the lab you work for shows you everything stored, and clearly the labs customers know differently. What employee was guarding the door when the info was shared in the first place? Like the other commenter said you receive it you gotta protect it no question – and no blaming a third party vendor. Following your same logic, why if SSN isn’t essential to the lab didn’t the lab build their system to reject all SSN? I suspect instead the labs system was built by design to receive SSNs happily so the lab bill collectors could collect aging debt.

    4. Cheryl

      S S numbers have been stored easily if the patient has/had medicare. The social security number was the insurers ID number with one letter to signify patients relation to insured. Medicare recently changed this practice with new IF number s.

    5. Mary

      Oh really? Why did I receive a “Notice of Breach” from AMCA that my account was targeted at LabCorb and Quest Corp. and most likely my credit cards were compromised as well. Duh? They were a little late in their notice, but it did solve the mystery as to why my Key Bank debit account where I receive my alimony funds every two weeks has been systematically emptied my account now for over two months. They were just taking a couple hundred dollars at a time, but when it became obvious I knew, They just started taking everything except for $.37 or $.17. Very sadistic. The bank has issued me three different debit cards. It makes no difference. Any ideas on how to get this stopped? I’ve filed FTC report. Bank doesn’t have any interest in helping.

  8. JimV

    When it’s the largely-hidden, little-known insiders to any mega-revenue-generating scheme who get hacked like this, the principal hustlers of such a scheme aren’t the ones who get fleeced because the scheme’s IT security and its system(s) weren’t quite top-of-the-line. Unless there is a serious external investigation by relevant governmental authorities and/or action to litigate it as a consumer-based class-action in the courts, the hustlers won’t ever pay.

  9. Dean

    Since AMCA is used by these companies primarily for collection purposes, would it be reasonable to assume that if a lab test you had done was paid for by your insurance, or paid for out-of-pocket and your bill wasn’t sent to collections, that your info would not be a part of this breach?

    Regardless, this is going to get a lot worse. Quest and LabCorp are just the tip of of this enormous iceberg.

    1. Jon

      @Dean – Yes, because this was a collections agency it’s likely safe to assume that if you’ve been paying your bills then your name wasn’t in their data. I’m hoping so for myself…

      @Brian – That fact should also give the hackers pause as to the quality of the data. The list of people are quite unlikely to have money to steal. How much money can they expect to bleed out of these turnips? At least one tiny bright spot in this sea of blackness.

      1. Anon404

        It doesnt mean they dont have my money to steal, it just means when they get stolen from it hurts more. These people are MORE at risk of cyber thieves, not less. There is no bright light at all.

    2. Mary

      I never had late payments as I have supplemental insurance and still got hacked

  10. vb

    Why should a payments website be able to expose the personal, financial and medical data on millions of patients?

    The personal, financial and medical data on millions of patients should be in a off-line database, far away from the Internet.

    The only identifier the web payment site needs is an account number, invoice number, or customer ID, which should be on the payment invoice. When a payment is made, send something to the back-office accounting system to update the patient’s ledger.

    This is just bad data management on an epic level.

    1. Readership1

      A lot of medical practices and hospitals now have online patient “portals” to review one’s own chart, test results, etc. All that’s needed to sign in is DOB, SSN, and some other static identifier available for sale.

      Who handles the portals? Third-parties, just like these bill collectors.

      You mention that billers should not be putting sensitive information online. I agree, but the medical providers are hiring them to do this stuff because politicians encouraged it.

      It’s a terrible state of affairs. Hopefully, this age of data breaches will swing the pendulum.

      1. SkunkWerks

        Well, to be fair here, they’re trying to solve a problem involving the poor transferal of hospital records from one treating entity to another- which results pretty often in poor patient outcomes.

        Isn’t there some sort of worldwide network that could be leveraged to distribute this? Oh hey! The internet!

        IMO, this is what happens when you fail to realize that your solution has problems of it’s own that need addressing- as you try to address the original problem.

  11. Blaster

    “We remain committed to our system’s security, data privacy, and the protection of personal information.”

    All I can hear is Charlie Brown’s teacher (https://youtu.be/q_BU5hR9gXE).

    1. Jon

      And Charlie’s scream as Lucy pulls the football away for the thousandth time.

  12. Blaster

    “If your ssn is on file, it’s because your physician submitted it, not because it was asked for. Have your doctor’s employees remove your ssn from any electronic documents that leave their office. Give them the request in writing and don’t back down on it.”

    Better yet, don’t give it to them in the first place. As far as I know in the United States, there is no legal requirement that a patient and/or their guardian/caregiver give their SSN to a doctor’s office.

    It’s interesting, actually. Just earlier this week I had occasion to visit a doctor’s office, which requested my physical address (as opposed to my mailing address, which I supplied them, only to have them tell me that their “address validation” service said it wasn’t a valid address). I told the person that she was not going to get my physical address.

    And that was that.

    People have GOT to learn to stand up for themselves. It’s pathetic…seriously.

    1. James Beatty

      You’re obviously not a Medicare or Medicaid recipient.

    2. Anon404

      Stop blaming the victim. Doctors offices and other businesses need to stop asking for information they dont need. Too many people dont know any better and just give it to them. the ones in the wrong, are not the people who trust their doctors office, its the doctors office who asks for info they dont need.

    3. Joe

      Unfortunately.. SSN is actually needed in a lot of scenarios.
      Billing departments do need it for many insurance carriers use SSN as a primary identifier, instead of a separate account id.
      Also, in case of collection, which is very common with healthcare in the US… the SSN is needed.

      SSN is a weird thing. It is considered sensitive information because so many institutions use it. And many institutions abuse it by considering the number as a secret only the individual should know. They treat it as an authentication factor. IT WAS NEVER INTENDED FOR THAT. Lenders have abused it along with date of birth, as the two numbers that prove identity enough to issue credit. That is insanity!

      So now, we have to protect it as if it were sensitive.
      But in the medical field and the military, it is still just an identifier, and not a secret. It is still just a unique id number to be put into the header of every document.

      Why? Because it does make sense for each individual to have a unique number that is transportable across different organizations and memorable to the individual. SSNs fit best.
      But as I said, it has been abused.

      Instead of trying to reduce the use of SSNs…. like the military tried to do… the solution is to remove its power to steal the identity. Lenders should be sued and fined for issuing credit based on open information such as address, DOB, SSN and other easily found information.

      1. Sharur

        So then what information or token would you propose be used instead?

        Name (Public)? Address (Public)? Bank Account Number (Public; its on every check you send, and stored any place you use for direct payments)? Credit Card Number(Virtually Public)?

  13. KoSReader6000000

    There are lots of good comments but the best is from Brian himself,

    “…LabCorp. said… personal and financial data on some 7.7 million consumers were exposed… at a third-party billing collections firm.. American Medical Collection Agency… AMCA… with… history of aggressively collecting debt for… medical labs …hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies… AMCA …business under the name “Retrieval-Masters Credit Bureau,” a company … in business since 1977. Retrieval-Masters also has an atrocious reputation for allegedly harassing consumers for debts they never owed… The company has an abysmal “F” rating from the Better Business Bureau…”-Brian Krebs

    In other words AMCA uses front companies to hurt the most vulnerable and sick in our society. They harassing the sick and poor with bogus claims of “debt owed” and then looses peoples data to other dirty data thieves.

    That reeks of an open sewer hole not to mention people smashed under the corporate bus by Quest Diagnostics and their many medical bill collector tentacles. This situation must the stopped.

    Here are some other noteworthy comments:

    “The breach was first discovered by Gemini Advisory on Feb. 28. They tried unsuccessfully — several times, they tell me — to notify AMCA. Gemini then contacted LE… Gemini had found 200,000 cards up for sale on a top-tier market, but 15% of those card had SSN, DOB, or other PII. I do think we have only seen the tip of a huge iceberg….”- Dissent

    Probably so.

    Medical franchises can be very focused on debt collection and not focused on helping sick and poor people. That is a travesty.

    Dissent’s links leads to Databreach[.]com which tells an uglier story:

    “…the end of February, Gemini Advisory analysts identified a Card Not Present (CNP) database that had been posted for sale in a dark web market. The offering had been described as “USA|DOB|SSN,” and because CNP data is rarely sold with associated date of birth and Social Security numbers… Gemini …identified several top affected banks that primarily focus on Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs), Flexible Spending Accounts (FSAs), and Medicare Medical Savings Accounts (MSAs). These various medical accounts are used to pay health insurance deductibles, dental and vision care… Gemini Advisory attempted to notify AMCA, but tells this site that they did not get any response to phone messages they left. Not getting any response, Gemini promptly contacted federal law enforcement… the questions that AMCA did not answer was a question about HIPAA. I can find no reference to HIPAA on their site, but medical collection agencies generally have obligations under HIPAA and HITECH in the event of a breach and must have business associate agreements in place with HIPAA-covered entities… “-Databreaches

    Yes.

    This shows extreme distain for HIPPA and other laws not to mention distain for poor sick people. See Dissent’s link at the bottom of his post to get all of the details.

    Next is website owner medicalquack’s post:

    “We should …remember that Optum 360, a subsidiary of United Healthcare does all the Quest billing too so they’re in here too. Most folks don’t pay attention to what goes on in subsidiaries but …that’s where the action happens, in places where people won’t bother to look or educate themselves, been going on for years… I keep saying before we can have any privacy and accountability, we need to index and license the data sellers/sharers, so we know who they are…”- medicalquack

    That is true.

    I understand your discomfort. There are not any debtor prisons in the USA. But, there are “medical bill collectors” who can make your life seem like prison.

    Many of these sleazy bill collectors are not only hidden by multiple front companies but are also whole or partly located off-shore so they can handily telephone and stalk the poor disabled Americans out of reach of American law enforcement.

    A while back I had freshly graduated high school friend who was diagnosed with a fast growing head-neck tumor. To save his own life he went to the hospital, signed various contracts and had the tumor partially removed. Soon after the hospital and doctor’s bill arrived crushing him under the wheels of debt.

    He had to go into bankruptcy and give up all his cash and all assets to complete the bankrupty proceedure.

    The part that added insult to injury was that due to some type of “debt-rescheduling” he was hounded by greasy bill collectors located on some British island.
    They ruined his credit record – not to mention his ability to pay for the second medical operation to ensure his recovery.

    You would be surprised what bankruptcy does for your medical insurance or your inability to get it. Certain bankruptcy courts don’t clear all debt or certain debt collectors find a way around the bankruptcy court.

    Some of us in need of immediate [life or death] medical attention have had to be wheeled from the ambulance into the emergency room only to be greeted by person with a set of complex contracts to be signed – assuming your bleeding did not soil the paperwork – before being given full medical treatments.

    It is a horrible situation. These “medical bill collectors” who can get your Social Security Number for many-many sources should be identified and sanctioned.

    1. Marti

      AMCA should add # of customer records exposed to their “Fun Facts” section of their homepage

  14. Red

    It is scandalous how little these highly profitable companies are willing to spend on effective cybersecurity and social engineering policies and procedures. These breaches should not happen When they do, fines should be high – in the millions.

    1. James Beatty

      Just wondering – how do you know that AMCA is a “highly profitable” company?

  15. Not bending over

    Today, my wife (working as a temp contractor for Feds 6 years after retirement) send mea billing notice (with a handy link to set up quick payment) of a $15 bill from Quest. Now mind you we both share our health plan and both have MEDICARE as primary insurance. What that means ANY medical charges wind their way through Medicare for even entering our medical plan (that does use Quest/MedCorp). In a word it’s usually about 30-46 days before we’re sent a bill for any balance/copay we might owe. She has not had any lab work for over a year. Me? I actually a blood test two days ago to assess results from a new Med.
    So this notice was very suspicious. No ref about what chargers were for or anything. We have no choice but to assume this is phishing rooted in the Quest/MedCorps and now (according to this Krebs post – the outsourced bill collection where the hole was, apparently. This is moving very fast and there’s a light at the end of the tunnel maybe but it’s another train headed our way down the same track.

    1. Mahhn

      Would you mind sharing the content of the Email and any links (only after you verify it is NOT legitimate), so we can see what the phish is like.

  16. PDCLarry

    I just logged in to my Quest portal and discovered that my account number is my SSN. I have requested account cancellation. Fortunately my local hospital offers outpatient lab services that are almost as convenient as Quest. The one advantage of Quest is that it is 2 blocks away; the hospital outpatient center is a mile away.

  17. Rebecca

    Anyone want to buy my name, address, ss#, card#, email, banking account#, CVV2 and anything else that I hold private and dear?

    I just figured I could profit a bit before the fraudsters since clearly they now know everything about me. INSANE!!!

    Does it ever end?

  18. Name-retained

    Ty for the article!

    Question, or did I miss mention of it? If one has had to pay one of these labs, but paid timely, is there any confidence their info was not stolen? I mean, that cc info was included…

    Says credit bureau, but gosh if reportedly one company was calling folks who owe nothing, I ask myself if a list of all folks (not just of folks) was being shared from lab to credit collection company(s)? If so, seemingly more liability on labs part than there than might be assumed at first skim.

  19. NCIP

    It is near impossible to avoid data breaches, it is surprising, as industry awareness and spending increases so does the steep increase in breaches.

  20. meh

    If the government was actually doing its job companies like this, Navient and all of the credit bureaus wouldn’t exist.

    Rolling back consumer protections affects us all, about time for some serious reform however it won’t happen under the current crook in chief.

  21. Christopher

    Asking a doctors office to remove SSN sent to others is the same as saying “I am a difficult patient”. Most doctors front desk help around where I live treat patients poorly and do not honor any requests. If you have to see more than one doctor, the odds are that such a request will be seen only as a request for abuse and they will still send your SSN. The solution needs to be a legal and enforcement one. It would be informative to see which members of congress have proposed or supported good legislation on this matter.

    1. meh

      Makes me wonder if there are any places in the world getting it right. I feel like poor data security is just one of many aspects showing we’re living in a second dark ages. Seems like every major country around the world has allowed predatory corporations to saddle and pursue everyone with debts regardless of the cause or legitimacy of them. In the USA it seems like consumer protections have been on the decline for 40 years and nobody seems interested in standing up and pushing for reform. We got an election coming up in a year, main contenders include the crook in chief and his opponent the guy who took away bankruptcy for private student loans.

  22. Donna Allred

    I have to have blood tests done.regularly
    I am afraid to go to lab Corp. or Qurst

Comments are closed.