LabCorp Breach Results in the Leaking of the Data of 7.7 Million Clients

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist
Image Source: labcorp.com

LabCorp, the U.S. clinical and medical lab testing expert, has announced a data breach which exposed the personal and financial information of approximately 7.7 million customers. The part of the network that was exposed was not directly operated and managed by LabCorp, but by one of their collaborators, the AMCA (American Medical Collection Agency) billing collections company. This comes only days after a competitor firm, Quest Diagnostics, announced that they had leaked nearly 12 million of their patients’ data, through AMCA again, so the two incidents are almost definitely related.

As required by law, LabCorp informed the U.S. Securities and Exchange Commission of the details of the breach. The duration of the breach spanned from August 1, 2018, to March 30, 2019, so the time of exposure is beyond anything safe or even acceptable. The information that leaked through AMCA’s activities includes client first and last names, dates of birth, home address, phone numbers, date of service, and their balance information. Moreover, there were credit card and bank account information associated with about 200000 clients. What was not there is the insurance identification information, the Social Security Numbers, the diagnostic information, and the laboratory tests.

The 200k clients that have had their financial details exposed will be notified by a letter after the security and I.T. forensics firm that collaborates with LabCorp and AMCA concludes their investigation. The Quest patients are waiting for the same, but no clarifications have been provided to them yet either. AMCA has not answered to questions like whether hackers accessed databases or if they compromised the firm’s payment webpage, so people have no way of telling if they have been affected or not. However, LabCorp and Quest are unlikely to be the only two entities to have lost sensitive client information through AMCA.

AMCA collaborates with many other companies like the United Healthcare, EZPass, and American Traffic Solutions (ATS). That said, it is very likely that the personal and financial details of many customers of these companies will have flown away as well. This is not the first time that a company that is unknown to the general public is proven to hold millions of sensitive records on behalf of other companies. People hand over their information to a firm they trust and then lose track of who may end up with it, don’t have the option to allow or disallow this sharing, and end up being exposed in the dangers of hacking and bank fraud.

Do you think that companies should be forced to ask for the consent of their customers in order to share their information with other firms? Let us know where you stand in the comments down below, and also on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: