HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities

The total number of victims of the American Medical Collections Agency (AMCA) data breach has now passed 20 million, as yet another healthcare organizations has been confirmed as being affected by the breach.

New Jersey-based laboratory and clinical testing company BioReference Laboratories is the latest confirmed victim, with approximately 422,600 of its customers having had their personal information exposed in the AMCA data breach.

BioReference Laboratories joins Quest Diagnostics/Optum360 (11.9 million records) and LabCorp (7.7 million records), with the total number of compromised records now standing at 20,022,600 records. That number may well continue to grow as the investigation progresses and more healthcare entities are notified that their data has also been compromised.

BioReference Laboratories confirmed the breach in an 8-K Security and Exchange Commission (SEC) filing on Monday. The OPKO Health subsidiary was notified it has been impacted by the breach on June 3, 2019.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach at AMCA occurred between August 1, 2018 and March 30, 2019, during which time hackers had access to the AMCA web payment page, which included data of several healthcare clients.

Patients who had received BioReference Laboratories testing services had the following information compromised: Name, address, phone number, date of birth, date of service, email address, provider information, balance information, and bank account information. No Social Security numbers, medical information, test results, or passwords/security questions and answers were exposed.

AMCA has confirmed that approximately 6,600 customers of BioReference Laboratories whose financial information has been exposed have been notified by AMCA and offered complimentary credit monitoring and identity theft protection services for 2 years.

As is the case with the other affected entities, only basic information has so far been provided by AMCA. No company affected by the breach has so far been provided with full details of the individuals affected, so breach notification letters cannot yet be sent.

BioReference Laboratories said it is attempting to obtain further information about the breach from AMCA and when that information is received additional steps will be taken. BioReference Laboratories notes that no collection requests have been sent to AMCA since October 2018 and a request has been submitted to AMCA to stop working on any pending collections requests.

Several state Attorneys General have confirmed that they have launched investigations and have contacted AMCA and the breached entities demanding further information.

“This data breach is yet another example of how fragile our information infrastructure is, and how vulnerable all of us are to cyber hacking,” said Michigan Attorney General Dana Nessel. “Here in Michigan, we continue to rely on media reports that alert us to these terrible situations because – unlike most other states – we have no law on the books that requires that our office be notified when a breach occurs.”

Nessel is particularly concerned about the length of time hackers had access to the AMCA payment page before the breach was detected and that the attack appears to have been conducted specifically to obtain sensitive patient information, which places affected individuals at a high risk of fraud.

New York Attorney General Letitia James, Minnesota Attorney General Keith Ellison, and North Carolina Attorney General Josh Stein have also confirmed that they have started investigating the data breach. Two New Jersey senators have also demanded answers New Jersey-based Quest Diagnostics. However, it appears that the affected companies are still very much in the dark about what exactly has happened and who has been affected. Only limited information has been provided as AMCA continues to investigate.

AMCA has confirmed it has already taken steps to improve security, including taking its web payments page offline, migrating its services to another third-party vendor, and has hired a cybersecurity firm to assess cybersecurity protections and install additional security measures. Third-party forensics experts are continuing to investigate the breach and identify other data that may have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.