AMCA Data Breach Total Nears 25 Million

The number of healthcare providers confirmed to have been affected by the American Medical Collection Agency (AMCA) data breach has continued to grow over the past week. To date, 18 healthcare providers have made announcements that the protected health information they provided to AMCA has been exposed.

AMCA is a collection agency that works with several healthcare organizations and recovers unpaid medical bills. In March 2019, Retrieval-Masters Creditors Bureau, AMCA’s parent company, discovered an unauthorized individual had gained access to a web payment page and was able to view and obtain patient data. RMCB was alerted to a potential breach when several fraudulent credit card transactions were linked to AMCA.

The investigation revealed the hacker had gained access to the payment page 8 months previously. The first recorded incident of unauthorized access was in August 2018. Since some financial information was stolen and misused, it is reasonable to assume that the hacker gained access to all information accessible through the payment page and all patient data available through that page has been compromised.

The first companies to announce the breach did so through SEC filings. Quest Diagnostics / Optum 360 confirmed 11.9 million patients had been affected, a further 7.7 million LabCorp patients were impacted, and 422,600 BioReference Laboratories patients.

The past week has seen a flurry of breach announcements from other healthcare providers and the victim count has continued to grow. It is not yet known how many more healthcare providers have been affected by the breach. The total could well continue to rise.

While affected clients were informed about the breach in May 2019, very few details about the breach were released. As the investigation continued, affected companies started to find out more about the numbers involved, although many patients have still not been sent breach notification letters. AMCA has sent more than 7 million notifications so far, but the priority has been individuals whose financial information was exposed.  It is likely to be a few weeks before all patients receive their notifications.

The full list of healthcare organizations affected by the AMCA data breach are detailed in the table below:

Healthcare Organization Records Exposed
Quest Diagnostics/Optum360 11,900,000
LabCorp 7,700,000
Clinical Pathology Associates 2,200,000
American Esoteric Laboratories 541,900
Carecentrix 500,000
Sunrise Medical Laboratories 427,000
BioReference Laboratories/Opko Health 422,600
CBLPath Inc. 148,900
Laboratory Medicine Consultants 147,600
Austin Pathology Associates 46,500
South Texas Dermatopathology PLLC 16,100
Pathology Solutions 13,300
Penobscot Community Health Center 13,000
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
Western Pathology Consultants 4,550
Laboratory of Dermatology ADX, LLC 4,240
Natera Unknown


At almost 25 million records, the AMCA data breach is the second largest healthcare data breach ever reported by some distance, although well short of the 78.8 million record data breach at Anthem Inc.

Senators have been demanding answers about the breach, state attorneys general have launched investigations, and the Department of Health and Human Services’ Office for Civil Rights will be investigating to determine if Health Insurance Portability and Accountability Act (HIPAA) Rules have been violated.

If privacy and security controls are found to be lacking, AMCA is likely to face a sizable financial penalty. OCR can issue fines of up to $1.5 million per HIPAA violation category. Anthem Inc. settled its case with OCR for $16,000,000.

AMCA has already laid off most of its workforce as the majority of its clients have stopped working with the firm. The company has spent millions on the breach response and has filed for Chapter 11 bankruptcy protection.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of