The hack of the American Medical Collection Agency (AMCA), a third-party bill collection vendor, continues to expand, now impacting 20.1 million patients across three laboratory services providers.

In the wake of revelations that the personal data of 12 million patients from Quest Diagnostics had been potentially compromised by an infiltration of AMCA systems, another 7.7 million patients from LabCorp were shown on Wednesday to be impacted. And, 400,000 victims from OPKO Health have been now been added to the tally as of Thursday.

The exposed information includes personally identifiable information such as names, addresses and dates of birth, but also payment data. All three companies are clinical laboratories offering blood tests and the like, and all three relied on AMCA to process a portion of their consumer billing.

In a filing with U.S. Securities and Exchange Commission (SEC), AMCA told OPKO that an unauthorized party accessed the data of around 422,600 patients between August 1 and March 30, 2019 (the same dates affecting the other two providers). The information was provided by BioReference, an OPKO subsidiary, and “may have included patient name, date of birth, address, phone, date of service, provider and balance information. In addition, the affected AMCA system also included credit card information, bank account information (but no passwords or security questions) and email addresses that were provided by the consumer to AMCA….no Social Security Numbers were compromised…and no laboratory results or diagnostic information.”

AMCA also said that it will send breach notifications to “6,600 patients for whom BioReference performed laboratory testing” whose payment card information was exposed.

The culprit in the breach appears to be an insecure web payments page maintained by AMCA that consumers could use to pay their bills – it has been taken down, according to the filing. AMCA also said that it has hired a firm to help it improve its security posture overall.

That’s probably a good thing, given that Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, noticed that the payment page isn’t the only page lacking security on the site.

“It is telling that AMCA’s main website does not enforce encryption like most websites do, and when you manually switch to HTTPS to try to secure the connection, it presents you with the wrong certificate for another web site called retrievalmasterscreditorsbureau.com, which also happens to have expired a year ago,” he said, via email.

While lab results don’t seem to be part of the mix of exposed information according to the SEC filing, Quest did say in its notice that “AMCA’s affected system included information provided by Quest to help patients understand what they were being charged for, and to allow patients to submit an insurance claim when appropriate” – which could include personal health data.

Medical-related information is valuable to cybercriminals, who can use personal and demographic information, financial statements, health details and insurance information for identity theft, insurance fraud, financial gain or even blackmail, according to Don Duncan, security engineer for NuData Security.

“With healthcare information, cybercriminals can pose as doctors and patients to put in false claims or even change the records of patients,” he said, via email. “This poses a severe danger to patients’ health and to their pocketbooks. Additionally, there is no mechanism in place to address records that have been altered.”

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.