HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach

Following the news that the data breach at American Medical Collection Agency (AMCA) exposed the records of 11.9 million Quest Diagnostics patients, comes news of another healthcare company that has been affected by the breach.

On June 4, 2019, LabCorp, another national network of blood testing centers, announced that 7.7 million individuals whose blood samples were processed by the company may have had their sensitive information exposed.

As was the case with Quest Diagnostics, LabCorp disclosed the breach through a U.S. Securities and Exchange Commission (SEC) filing. LabCorp said it had been notified by AMCA that its data had also been exposed as a result of the cyberattack on AMCA’s web payment portal, which saw hackers gain access to the system between August 1, 2018 and March 30, 2019. LabCorp said AMCA held data on 7.7 million of its customers.

According to the AMCA website, the company manages more than $1 billion in annual receivables for a diverse client base, which includes “laboratories, hospitals, physician groups, billing services, and medical providers all across the country.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It is therefore unsurprising that another healthcare organization has announced that it too has been impacted by the data breach at AMCA. It is likely that over the course of the next few days and weeks that there will be several other announcements by healthcare organizations that have also been impacted by the breach.

The number of healthcare records known to have been exposed is now 19.6 million and only two healthcare companies have so far announced that they have been affected.

The LabCorp data did not include Social Security numbers, unlike Quest Diagnostics, but did include names, addresses, phone numbers, dates of birth, dates of service, provider information, balance information, and some banking and credit card information. LabCorp notes that no diagnostic information, medical test results, or insurance information were provided to AMCA. As was the case with Quest Diagnostics, LabCorp has stopped using AMCA for billing collections.

Around 200,000 individuals whose financial information was exposed are being notified by AMCA and have been offered 2 years of credit monitoring and identity theft protection services. LabCorp has not yet received full details on the individuals that have been impacted by the breach, so notifications to other customers cannot yet be issued.

As reported yesterday, Gemini Advisory discovered around 200,000 credit cards listed for sale on a darknet marketplace and tipped off AMCA to the breach. Those credit card numbers were not from LabCorp customers as the data set included Social Security numbers, which were not provided by LabCorp to AMCA.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.