Cyber Incident Victim: American Medical Collection Agency
Date:
Aug 2018
Location:
United States of America
Summary
A cybersecurity breach at American Medical Collection Agency, a third-party billing vendor, compromised sensitive data of approximately 11.9 million patients associated with medical testing firm Quest Diagnostics. Unauthorized access to payment systems resulted in the theft of credit card details, personal information, and medical data, though laboratory test results remained unaffected. The incident prompted the medical testing company to suspend its relationship with the vendor and engage external security experts to assess the impact. The collections agency initiated an internal investigation and notified law enforcement. This marked the second security incident impacting the same medical firm’s customer base within a short period, following a prior breach involving unauthorized data access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The American Medical Collection Agency (AMCA) experienced a data breach impacting medical testing company Quest Diagnostics, as disclosed in a June 2019 SEC filing. Unauthorized activity occurred on AMCA’s payment systems between August 1, 2018, and March 30, 2019, compromising credit card numbers, medical information, and personal data of approximately 11.9 million Quest patients. Laboratory test results remained unaffected. Quest stated it could not independently verify the accuracy of AMCA’s breach details but confirmed the collections vendor processed financial transactions for its patients. The breach was attributed to malicious interference with AMCA’s web payment pages, though specific technical methods were not detailed. Quest halted further collection requests to AMCA pending investigation and engaged external cybersecurity experts to assess the incident’s scope. AMCA, represented by crisis communications firm Brunswick Group, acknowledged an ongoing investigation and notification of law enforcement but did not disclose forensic findings or attacker attribution.
This incident marked Quest Diagnostics’ second major breach within three years, following a 2016 intrusion affecting 34,000 patients. The AMCA breach coincided with a surge in payment card-skimming attacks against companies like British Airways, Ticketmaster, and Newegg by groups collectively dubbed Magecart, though no direct link to those campaigns was confirmed. Data exfiltration persisted undetected for eight months until AMCA identified the intrusion, though neither AMCA nor Quest specified detection methods. Consequences included prolonged exposure of sensitive patient financial and medical data, though no fraudulent use was confirmed in initial disclosures. AMCA’s delayed public acknowledgment—nearly three months after the breach window closed—raised concerns about third-party vendor transparency. Quest’s termination of its AMCA partnership reflected immediate containment efforts, while the lack of shared remediation steps by AMCA left systemic vulnerabilities unaddressed in public reporting.