BioReference Laboratories, the subsidiary of Opko Health, suffered a cyberattack that affected 400,000 customers' personal data
On Monday, 7th of June, American Medical Collection Agency (AMCA) informed Opko Health, one of the largest health organizations in the word, of its payment site compromise that affected 422,600 customers. The unauthorized access allowed unknown parties to reach such data like bank account and credit card information, as well as the full address, phone number, and account balance, as stated in the In the SEC filing:
AMCA advised that AMCA’s affected system includes information provided by BioReference that may have included patient name, date of birth, address, phone, date of service, provider, and balance information. In addition, the affected AMCA system also included credit card information, bank account information (but no passwords or security questions) and email addresses that were provided by the consumer to AMCA.
BioReference Laboratories Inc is one of Opko's subsidiaries and was active between August 1, 2018, and March 30, 2019.
Opko Health is not the only one that was affected by the data breach, as AMCA also alerted the company's rivals Quest Diagnostics Inc and Laboratory Corporation about the same issue, which affected 11.9 million and 7.7 million users, respectively, totaling of 19 million customers.
The incident is under the investigation performed by New York, Minnesota, North Carolina, and Michigan state attorneys.
AMCA is offering the identity protection for the victims
American Medical Collection Agency said that it would provide comprehensive protection to victims whose bank account and credit card information was affected by the incident:
AMCA advised BioReference that it is sending notices to approximately 6,600 patients for whom BioReference performed laboratory testing and whose credit card or bank account information was stored in AMCA’s affected system. AMCA indicated that it will provide these affected patients with more specific information about the AMCA Incident in addition to offering them identity protection and credit monitoring services for 24 months. AMCA has not yet provided BioReference a list of the affected patients or more specific information about them. AMCA has advised BioReference that AMCA is providing notice to state attorneys general and other state agencies as required by applicable state data breach laws.
According to statement, the compromised information of that provided by BioReference to AMCA includes:
- Date of birth
- Phone number
- Balance information
Nevertheless, AMCA also stated that another portion of data that was provided by consumers included bank account information, credit card information, and email addresses. Fortunately, no Social Security numbers, passwords, or security questions for the banking details were affected.
OPKO itself stated that no laboratory results or diagnostic information were exposed to unauthorized parties.
Data breaches performed in medical sector and extremely valuable for hackers and very harmful for victims
According to the SEC filing, BioReference Laboratories Inc collection requests to AMCA were terminated since October 2018, and the company also said that do not wish to proceed with any open applications and asked them to be ceased as well.
The medical sector is one of the most targeted by cybercriminals, as harvested data is extremely useful: it can be sold on the dark web or used directly for fraud. Besides, patients whose information has been exposed are at risk of identity theft, low credit reports, and might jeopardize their financial future.