It has recently been discovered that the protected health information (PHI) of approximately 2.2 million of patients of Clinical Pathology Laboratories in Texas may have been infiltrated in the data breach at American Medical Collection Agency (AMCA).
AMCA supplies debt collection services to many healthcare firms, which necessitates access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website permitted hackers to can access to the site, and through it, the PHI of clients. Cybercriminals had access to the payment website for 8 months before the breach was noticed.
As of July 18, 2019, five AMCA clients have said that they were impacted by the breach. First came Quest Diagnostics, which made public through an SEC submission that 11.9 million of its patients had been affected. Following this came LabCorp’s announcement that 7.7 million records had been hit. BioReference Laboratories also revealed that approximately 422,000 of its patients had been affected, and another 13,000 patients of Penobscot Community Health Center in Maine have been impacted. So far over 22.2 million patients are known to have been affected by the HIPAA violation.
All of the above healthcare providers were made aware of the breach during May, two months after AMCA first noticed it. However, only restricted information about the breach was provided initially as AMCA continued to review.
Clinical Pathology Laboratories was made aware in May but was not given enough information about who had been impacted, so its breach announcement had to be delayed for a little while. AMCA has now confirmed that names, addresses, birth dates, dates of treatment, account balances, and credit/debit card or banking data were potentially impacted.
AMCA has started issuing notification letters to all affected Clinical Pathology Laboratories patients. To date, almost 34,500 letters have been mailed. Those individuals had their personal and financial information exposed. AMCA has since identified an additional 2.2 million patients had their data exposed, although credit/debit card and banking information was not held for those client.
As took place with all other impacted bodies, Clinical Pathology Laboratories has stopped working with AMCA. AMCA’s parent company has filed for Chapter 11 protection, a number of lawsuits have been initiated, and many state Senators have written to AMCA requesting answers. OCR will also be investigating how such a major breach could have occurred and not been noticed fo ra time period of eight months. Questions will also be asked about the reaction to the breach.