2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach

Clinical Pathology Laboratories in Texas has recently discovered the protected health information (PHI) of approximately 2.2 million of its patients has potentially been compromised in the data breach at American Medical Collection Agency (AMCA).

AMCA provides debt collection services to many healthcare companies, which requires access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website allowed hackers to can access to the site, and through it, the PHI of patients. Hackers had access to the payment website for 8 months before the breach was detected.

As of today, July 18, 2019, five AMCA clients have confirmed they have been affected by the breach. First came Quest Diagnostics, which announced through an SEC filing that 11.9 million of its patients had been affected. That was closely followed by LabCorp’s announcement that 7.7 million records had been exposed.  BioReference Laboratories also confirmed that around 422,000 of its patients had been affected, and recently 13,000 patients of Penobscot Community Health Center in Maine have been confirmed to have been affected. To date, more than 22.2 million patients are known to have been affected by the breach.

All of the above healthcare providers were notified in May, two months after AMCA became aware of the breach. However, only limited information about the breach was provided initially as AMCA continued to investigate.

Clinical Pathology Laboratories was notified in May but was not provided with sufficient information about who had been affected, so its breach announcement had to be delayed. AMCA has now confirmed that names, addresses, birth dates, dates of service, account balances, and credit/debit card or banking information were potentially compromised.

AMCA has started sending notification letters to all affected Clinical Pathology Laboratories patients. So far, around 34,500 letters have been sent. Those individuals had their personal and financial information exposed. AMCA has since discovered a further 2.2 million patients had their data exposed, although credit/debit card and banking information was not held for those customers.

As has been the case with all other affected entities, Clinical Pathology Laboratories has stopped doing business with AMCA. AMCA’s parent company has filed for Chapter 11 protection, several lawsuits have been filed, and several state Senators have written to AMCA demanding answers. OCR will also be keen to discover how such a major breach could have occurred and fail to be detected for 8 months. Questions will also be asked about the breach response. Despite discovering the breach in March 2019 or earlier, it took until June 4 for notification letters to start being issued.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.