HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients

A hacker has gained access to the systems of Elmsford, NY-based billing collections company American Medical Collection Agency (AMCA) and potentially viewed and copied the protected health information of 11.9 million patients of Quest Diagnostics.

Quest Diagnostics is one of the largest blood testing laboratories in the United States but is just one entity that uses AMCA services. It is possible that the breach could be much larger and impact patients of other healthcare organizations. At almost 12 million records, it is already the second largest healthcare data breach ever to be reported, behind Anthem’s 78.8 million record data breach of 2015.

The data breach first came to light in May 2019 when researchers at Gemini Advisory notified databreaches.net that they had discovered the payment card details of around 200,000 patients listed for sale on a darknet marketplace. Gemini Advisory determined that the credit card details came from AMCA and appeared to have been obtained between September 2018 and March 2019.

Gemini Advisory notified AMCA about the potential breach, although no response was received. The matter was then reported to law enforcement which contacted AMCA to confirm that a breach had occurred.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

AMCA provides billing collection services to Optum360, which is a business associate of Quest Diagnostics and a unit of the health insurer UnitedHealth Group. AMCA notified Quest Diagnostics and the revenue cycle management vendor Optum360 about the breach on May 14, 2019.

AMCA said a breach had occurred that resulted in the exposure of patient data between August 1, 2018 and March 30, 2019. Computer forensics experts have been retained to investigate the breach and determine exactly how many patients had been affected and the investigation is ongoing.  AMCA suspects around 11.9 million Quest patients have been impacted by the breach. AMCA also confirmed the compromised system contained data from entities other than Quest Diagnostics.

The hackers gained access to systems containing information such as names, personal information, Social Security numbers, financial information, and medical information, although no laboratory test results were compromised.

While Quest Diagnostics and Optum360 have been made aware of the scale of the breach, they have not yet received full information about the patients that have been affected. Quest Diagnostics also said it has not yet ben able to verify the accuracy of the information provided by AMCA.

Quest Diagnostics has issued a statement saying it is working closely with Optum360 and will send notification letters to all affected individuals when AMCA provides full details of the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.