In what is likely to be a developing (and increasingly bad) news story, two major medical testing companies have announced that their customers’ information has been exposed by a data breach at a vendor that both firms use for payment collections. The firm, American Medical Collections Agency, informed its two clients separately of a persistent security breach that over the course of 8 months, 11.9 million Quest Diagnostic customer records and 7.7 million LabCorp customer records were exposed and most likely stolen by as yet unidentified threat agents. And seeing as this company also has several other, as yet unidentified clients, it’s likely we will see even more disclosures from those companies once the full extent of the AMCA breach is explored.
But wait…there’s more!
Real estate title insurance giant First American Financial Corp. is currently under investigation by regulators for what appears to be a colossal security failure wherein their website exposed over 800 million documents dating back nearly 16 years that contained customer bank account numbers, Social Security numbers, mortgage, tax and wire transaction records as well as drivers license images. Unfortunately the security researchers who originally discovered and confirmed the glaring privacy breach have no way to determine who else accessed the documents during the nearly 2 years it was exposed, but as you can imagine, this level of confidential information is exactly what identity thieves dream about every night.
What’s to be done about this?
At most, you might be able to participate in a class action lawsuit against First American. As of yet, no litigation has been opened against AMCA, and frankly, most people would have no idea who either of these companies are, as they don’t deal directly with the people who are affected by their breaches. Surely regulators and lawmakers are going to punish these companies significantly, especially in light of egregious lack of diligence as in the case of First American. Surely companies will stop doing business with vendors that aren’t taking security and privacy seriously, right? The fact that companies like Equifax are still in business says otherwise, so the only way we are going to see these companies held properly accountable is to vote in lawmakers who care more about their constituents than their corporate donors.