Commercial risk will be a critical catalyst of progress – it’s complicated, but is it possible? We think so.


August 13, 2019

24.4M patients, 21 companies now say they were affected by AMCA data breach

Daily Briefing

    Three more health care companies have notified patients that their personal information might have been exposed in a data breach at the American Medical Collection Agency (AMCA).

    Cheat sheets: What executives need to know about cybersecurity


    Quest Diagnostics on June 3 disclosed that an "unauthorized user" had access to AMCA's system and might have accessed data on 11.9 million Quest patients. Quest in a statement said AMCA on May 14 alerted Quest and Optum360, one of Quest's contractors that uses AMCA's billing collection services, that an unauthorized user had access to AMCA's systems between Aug. 1, 2018, and March 30, 2019. According to Quest, the data stored by AMCA included financial information—such as credit card numbers and bank account information—medical information, and other personal information, such as Social Security Numbers. The data did not include lab results.

    Quest said it had stopped sending collections to AMCA and is complying with all notification regulations. The company added that it would work with AMCA, Optum360, and third-party security experts to conduct an investigation of the breach. Daily Briefing is published by Advisory Board, a division of Optum, which is a wholly owned subsidiary of UnitedHealth Group.

    One day after Quest announced the breach, Laboratory Corp. of America, known as LabCorp, in a securities filing disclosed that data on 7.7 million of its patients might have been affected by the same security incident. LabCorp said affected patients' addresses, balance information, dates of birth, dates of service, health care providers, names, and phone numbers might have been exposed in the breach. In addition, LabCorp said, "AMCA's affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance)."

    LabCorp said it had stopped sending collection requests to AMCA and had suspended the collection firm's work on pending requests that involved LabCorp patients.

    AMCA said it "hired a third-party external forensics firm to investigate any potential security breach in [its] systems, migrated [its] web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase [its] systems' security."

    AMCA then filed for Chapter 11 bankruptcy, saying it had to take out a $2.5 million loan to cover expenses related to the breach.

    Three more health care companies say patient data might have been affected by breach

    According to HIPAA Journal, three additional companies—CompuNet Clinical Laboratories, Inform Diagnostics, and West Hills Hospital & Medical Center—recently informed patients that their personal information also might have been compromised as a result of the AMCA data breach. AMCA in June notified the companies that they had been affected by the breach, HIPAA Journal reports.

    Inform Diagnostic has sent letters to 173,690 patients notifying them that their personal data might have been compromised, and CompuNet Clinical Laboratories has notified approximately 111,000 patients about possible data exposure because of the breach. West Hills did not state how many patients might have been affected by the breach, HIPAA Journal reports. AMCA sent letters to West Hills' patients who may have had their financial information exposed in the data breach, and the hospital is notifying the remaining patients who might have been affected.

    According to HIPAA Journal, the companies' announcements bring the total number of health care companies known to have been affected by the data breach to 21, and the total number of patients potentially affected by the breach to at least 24.4 million. The companies known so far to have been affected the breach, according to HIPAA Journal, are:

    • American Esoteric Laboratories;
    • Arizona Dermatopathology;
    • Austin Pathology Associates;
    • BioReference Laboratories/Opko Health;
    • Carecentrix;
    • CBLPath;
    • Clinical Pathology Associates;
    • CompuNet Clinical Laboratories;
    • Inform Diagnostics;
    • LabCorp;
    • Laboratory Medicine Consultants;
    • Laboratory of Dermatology ADX;
    • Natera;
    • Pathology Solutions;
    • Penobscot Community Health Center;
    • Seacoast Pathology;
    • South Texas Dermatopathology;
    • Sunrise Medical Laboratories;
    • Quest Diagnostics/Optum360;
    • Western Pathology Consultants; and
    • West Hills Hospital and Medical Center/United WestLabs (Garrity, Becker's Health IT & CIO Report, 8/9; HIPAA Journal, 8/8).

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.