AMCA Makes Statement on Quest Diagnostics Vendor Breach

The AMCA said they hired a third-party external forensics firm to investigate the Quest Diagnostics data breach

• By Kaitlyn DeHaven
• Jun 05, 2019

Following an announcement from Quest Diagnostics regarding their billing collection service provider data breach on Monday, the American Medical Collection Agency (AMCA), the billing collection service provider for Quest, said they are taking necessary measures to protect their customers’ privacy.

A spokesperson for the AMCA said that the agency is doing its best to contain the breach by taking down routes the attacker could have taken to expose the information.

The spokesperson said the AMCA “hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”

While Quest claims they do not have the “complete information” on which customers were affected by the breach, they will “ensure that Quest patients are appropriately notified consistent with the law.”

Stephen Breidenbach, the co-chair of the Cybersecurity, Privacy, and Technology Practice Group at New York law firm Moritt Hock & Hamroff, told The Hill that containing the breach by finding the avenue the attacker utilized to reach the information should be the AMCA’s priority.

“It's very important at this stage that AMCA contain the breach and ensure the attacker has not established a method to reenter AMCA's systems,” Breidenbach said.

He said that even though the agency believes they have found the way the attacker initially breached the system, they must make sure all other ways the attacker could potentially get in are secure.

“Just because the company found and closed the door that the attacker came through does not mean all the doors to the business (e.g., other unpatched programs) are shut,” Breidenbach said. “It also doesn’t prove that the attacker never established an alternative method of entry, such as installing his/her own software that allows the attacker to reconnect to the network independent of the vulnerability.”