The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

AMCA Breach Total Hits 22.2 Million Patients

by Chris Brook on Thursday July 18, 2019

Contact Us
Free Demo
Chat

An additional 2.2 million patients have had their data compromised by a data breach at AMCA, the now bankrupt medical debt collector.

The tentacles of a breach at the American Medical Collection Agency, a medical debt collector, continue to claim victims. The latest, Clinical Pathology Laboratories, Inc., a network of more than 100 pathologists based in Texas, acknowledged this week that 2.2 million of its patients had their data compromised by the breach.

The 2.2 million join at least 20 million others, including patients at healthcare companies like Quest Diagnostics, LabCorp, Carecentrix, BioReference Laboratories, and Sunrise Laboratories, as victims implicated in the breach.

The Texas facility disclosed that it was a victim on Friday, confirming it was notified by AMCA in May – presumably around the same time it notified Quest Diagnostics and Optum360, a Quest contractor – but didn't receive enough information about which employees were affected, something which forced it to delay its own breach announcement.

Like many of the facilities, Clinical Pathology Laboratories used AMCA as its collection agency.

In the notice CPL confirmed it’s no longer using AMCA for collection efforts. It's unclear whether AMCA will continue to operate; the company looks poised shutter after filing for Chapter 11 bankruptcy last month.

According to CPL, patient names, addresses, phone numbers, dates of birth, dates of service, balance information, credit card or banking information and treatment provider information may have been impacted by the breach. While for some entities the AMCA breach resulted in compromised Social Security numbers that doesn't appear to be the case with CPL's patients; ". AMCA has advised CPL that its patients’ social security numbers were not involved in the incident," the statement reads.

AMCA said Social Security numbers were among the data compromised for roughly 11.9 million patients of Quest Diagnostics.

We learned last month that the breach may have occurred as early as August 2018 but wasn't uncovered until March this year when it received a number of CPP notices that implied that credit cards used on its web portal had been associated with fraudulent charges. CPP, or Common Point of Purchase notifications, issued by payment companies like Visa, MasterCard, and Discover, can help identify at risk or compromised cards by analyzing patterns in spending vendor by vendor.

The breach is quickly turning into one of the biggest healthcare supply chain stories of the year.

The fact that AMCA didn't know about the breach until eight months after it happened is certainly concerning but it's equally troubling that many of its clients, large healthcare organizations, didn't fully know the scope of the attack until months later. CPL said last week that its investigation into exactly which of patients were impacted is still ongoing.

The disclosure came the same day Sen. Robert Menendez (D-N.J.) – a politician who sought answers from Quest Diagnostics after it announced that it was part of the breach - renewed calls pressing for AMCA executives to answer questions about the hack in front of Congress.

“We cannot allow this company to escape its responsibility to patients and ignore our legitimate questions by hiding behind bankruptcy,” Menendez told the Washington Post on Thursday.

Tags: Healthcare

RECOMMENDED RESOURCES


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Find out why Digital Guardian has been named a “Leader” for 5 years in a row
  • Gartner’s yearly analysis of DLP vendors
  • DLP use cases and technology requirements

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.