AMCA Breach Sparks Flurry of Lawsuits and Investigations
The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach.
The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised.
The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months.
It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been a flurry of class action lawsuits filed on behalf of victims of the breach. Plaintiffs in the lawsuits claim to have been harmed as a result of the data breach.
Most of the lawsuits name one or more of the laboratories where testing occurred – Quest Diagnostics, LabCorp and BioReference Laboratories. A small number also name AMCA and the company Optum360. Optum360 was a business associate of Quest Diagnostics. Under certain circumstances, when a patient did not pay a bill, Quest Diagnostics sent the patient’s information to Optum360, which passed the data to AMCA for collection.
Several of the class action lawsuits allege negligence and breach of implied contract for failing to secure personal information. One complaint alleges the use of encryption and the adoption of national and industry standards were warranted to prevent reasonably foreseeable harm to patients. However, even though the defendants had the funds available to implement controls to prevent the breach, they failed to adequately invest in their security programs.
The lawsuits allege various violations of state laws and are seeking damages, monetary relief, and penalties to be issued over the privacy violation.
Only a small percentage of the individuals have been notified about the breach by AMCA – mostly individuals who had their financial information exposed. The healthcare organizations that provided AMCA with health information are still waiting to receive details of all individuals affected. As more notification letters are sent, is likely that the numbers of affected individuals in these class-action lawsuits will swell and further lawsuits will be filed.
In addition to battling the class action lawsuits, all of the entities involved now face scrutiny by state and federal regulators and Congress. The breach will certainly be investigated by the HHS’ Office for Civil Rights to determine whether HIPAA Rules have been violated. So far, at least six state attorneys general have launched investigations into the breach: Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut and have demanded answers about the breach.
If the investigations do uncover noncompliance with state or federal laws, financial penalties may be pursued. Already this year, state attorneys general have joined forces and filed a multi-state HIPAA lawsuit against Medical Informatics Engineering over its 2014 data breach. That breach resulted in a settlement of $900,000.