BURLINGTON — Alamance County’s largest private employer is facing a number of lawsuits over hackers getting personal data on 7.7 million customers.
Three federal class-action suits have been filed against LabCorp in the U.S. District Court for the Middle District of North Carolina, but many more have been filed in federal courts all over the country.
The medical testing company based in Burlington announced June 4 that millions of its customers were caught up in an eight-month breach of the American Medical Collections Agency, which collected delinquent bills for LabCorp, its competitor Quest Diagnostics and other companies, like Optum 360. According to Classaction.org, which is recruiting plaintiffs, as many as 20 million patients could be affected across all of AMCA’s client companies.
According to one suit filed in North Carolina, Gene Hively v. Laboratory Corporation of America Holdings, stolen patient information could include Social Security numbers, credit card and bank account information, medical information, and identifying information like names, addresses and birth dates.
Stolen data, according to Hively’s complaint, include about 200,000 LabCorp patients’ credit card numbers, and bank account information may have been taken. AMCA hasn’t yet provided LabCorp with a list of those patients.
The AMCA breach happened between Aug. 1 and March 30, the company has said, though AMCA is not the entity that discovered the breach. According to Tatyana Shulman v. Laboratory Corporation of America Holdings, Gemini Advisors, a data security company that wasn’t working for AMCA, found a lot of compromised payment cards on a dark web market in late February — a month before the breach was stopped — and traced it back to the AMCA online portal. Gemini notified AMCA on March 1, but did not get responses to phone messages, so it notified federal law enforcement, which contacted AMCA.
The plaintiff in that suit, Shulman, was the victim of credit-card fraud twice during the data breach, according to her federal complaint.
Plaintiffs in these suits are calling AMCA’s security measures inadequate judging by the length of time — 242 days or about eight months — it took to detect, while technology security company FireEye says the median time to detect a breach in 2018 was 78 days, according to the Shulman complaint
The medical industry is a particular target of hackers, according to multiple complaints, and the FBI publicly warned the industry in 2014 that its security measures were not adequate, according to the Shulman complaint.
AMCA also didn’t use the most secure and up-to-date payment systems, according to the Shulman complaint. The payment card industry, it reads, recommends “point-to-point encryption,” which would have made financial-card data unreadable to the hackers.
LabCorp, according to all three suits filed in Greensboro, failed to “properly monitor its vendors to ensure that proper data security safeguards were being implemented.”