AMCA Data Breach Victim Count Swells to Almost 25 Million Records
The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is now nearing 25 million and 18 healthcare providers are now known to have been affected.
The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers.
AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and BioReference Laboratories. Many more healthcare providers have made announcements in the past week.
AMCA has been issuing breach notification letters to affected individuals whose financial information was exposed, but other individuals have not yet been notified. For example, Austin Pathology recently confirmed it has been affected by the breach. Austin Pathology was told around 1,800 breach notification letters had been sent to Austin Pathology patients whose financial information was exposed.
Austin Pathology has confirmed that 46,500 patients have been impacted. The 44,700 patients who have yet to be notified had their name, address, telephone number, date of birth, dates of service, provider details, and account balances exposed. It could well be weeks before all affected patients are notified.
AMCA Data Breach Victims
Affected Entity | Records Exposed |
Quest Diagnostics/Optum360 | 11,900,000 |
LabCorp | 7,700,000 |
BioReference Laboratories/Opko Health | 422,600 |
Penobscot Community Health Center | 13,000 |
Clinical Pathology Associates | 2,200,000 |
Carecentrix | 500,000 |
Austin Pathology Associates | 46,500 |
Seacoast Pathology, Inc | 10,000 |
Arizona Dermatopathology | 7,000 |
American Esoteric Laboratories | 541,900 |
CBLPath Inc. | 148,900 |
Sunrise Medical Laboratories | 427,000 |
Natera | 3,000 |
South Texas Dermatopathology PLLC | 16,100 |
Laboratory of Dermatology ADX, LLC | 4,240 |
Laboratory Medicine Consultants | 147,600 |
Pathology Solutions | 13,300 |
Western Pathology Consultants | 4,550 |
So far, the protected health information of 24,105,690 individuals is known to have been exposed.
As it stands, the AMCA data breach is the second largest healthcare data breach ever reported, behind Anthem’s 78.8 million-record-breach that was discovered in 2015.
The cost of AMCA’s breach response has been considerable. AMCA has sent more than 7 million breach notification letters, IT consultants have been hired to assist with the investigation, and as of June 19, 2019, $3.8 million had been spent on the breach response. $2.5 million of that came from RMCB CEO Russell Fuchs, who lent the company the money to cover the cost of the breach notifications. RMCB has since filed for Chapter 11 protection.
AMCA will also be investigated by state attorneys general and the HHS’ Office for Civil Rights to determine whether the breach could be attributed to poor security and noncompliance with HIPAA. OCR has previously fined defunct companies for historic HIPAA violations. Bankruptcy does not offer protection against regulatory fines.