The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Medical Debt Collector Poised to Shutter Following 2018 Breach

by Chris Brook on Wednesday June 19, 2019

Contact Us
Free Demo
Chat

A data breach and mounting cybersecurity consulting costs, legal requirements, and regulatory obligations, proved too much for this company to come back from.

Company news following data breaches can sometimes be inspiring, some tales are based around recovery, others transparency, but in reality, that's not always the case.

If damaging enough, data breaches can serve as the death knell for a company.

The American Medical Collection Agency, a medical debt collector headquartered in Westchester County, New York, filed for Chapter 11 bankruptcy protection this week, a signal that a breach it experienced last year may have been too much for the company to mitigate.

Russell Fuchs, AMCA’s founder and CEO, filed a declaration (.PDF) in United States Bankruptcy Court in the Southern District of New York in support of the action on Monday under the name of its parent company, Retrieval-Masters Creditors Bureau, Inc.

According to the declaration, AMCA became aware of the breach in March, 2019 after receiving a slew of CPP notices that suggested a number of credit cards, which at some point had interacted with its web portal, were later associated with fraudulent charges.

While it was believed the breach initially only affected 200,000 victims, upon further review, 100 times that figure – upwards to 20 million patients – including patients at healthcare clients Quest Diagnostics, LabCorp, Carecentrix, BioReference Laboratories, and Sunrise Laboratories may have been affected.

Unbeknownst to AMCA, the company’s web payment portal began leaking customer data, including names, home addresses, phone numbers, dates of birth, Social Security numbers, payment card details, and bank account information, after the company's servers were hacked in 2018.

If a patient paid for laboratory work through one of the aforementioned clinical or blood testing firms dating back to last summer, and used AMCA’s portal to pay for it, their data may have been compromised.

According to Fuchs, the company “has always been adequately capitalized to operate its business” but the losses incurred by the breach, including having to spend $400,000 on IT professionals and consultants from three different firms, were beyond its ability to bear. The unnamed outside consultants revealed that AMCA’s servers had been hacked as early as August, 2018.

Gemini Advisory, a firm that works with financial organizations to keep tabs on underground markets, notified the website DataBreaches.net in May that its researchers had found payment card data on 200,000 patients from AMCA for sale on a marketplace. That number rose; in a Securities and Exchange Commission 8-K filing earlier this month, AMCA said the number of Quest Diagnostics patients impacted by the breach was 11.9 million people. BioReference Laboratories added to that figure, confirming in an 8-K filing of its own that AMCA informed the company that data on 422,600 patients that it had performed testing on were affected.

While AMCA obviously lost business following the breach – some of its largest clients terminated their relationship with the company – a lack of visibility around its data also appears to have contributed to AMCA’s downfall.

Because it couldn’t determine what data had been hacked, the company had to operate under the assumption that all of the information on its servers had been compromised. According to Fuchs, to satisfy legal requirements and regulatory obligations, this meant it had to spend nearly $4 million – “more liquidity than [it] had available” – to mail over seven million individual notices to those whose data may have been breached.

That it lasted until March without realizing that its servers had been hacked means patient data was compromised for more than half a year, a brutal blow but one that potentially could have been lessened through a data-centric approach to security, something that in turn, adds deeper visibility and understanding where information is being used and accessed.

Tags: Industry Insights, Healthcare

Recommended Resources


  • Data security challenges in healthcare
  • Case studies on how DLP prevented PHI egress
  • How Digital Guardian protects PHI from internal & external threats
  • HIPAA 101: 4 core regulatory rules that impact security
  • Security strategies for protecting patient data
  • How to use DLP to cut your risk of HIPAA fines

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.