The number of healthcare providers confirmed to have been affected by the American Medical Collection Agency (AMCA) data breach has continued to grow over the past week. To date, 18 healthcare providers have made announcements that the protected health information they provided to AMCA has been exposed.
AMCA is a collection agency that works with several healthcare organizations and recovers unpaid medical bills. In March 2019, Retrieval-Masters Creditors Bureau, AMCA’s parent company, discovered an unauthorized individual had gained access to a web payment page and was able to view and obtain patient data. RMCB was alerted to a potential breach when several fraudulent credit card transactions were linked to AMCA.
The investigation revealed the hacker had gained access to the payment page 8 months previously. The first recorded incident of unauthorized access was in August 2018. Since some financial information was stolen and misused, it is reasonable to assume that the hacker gained access to all information accessible through the payment page and all patient data available through that page has been compromised.
The first companies to announce the breach did so through SEC filings. Quest Diagnostics / Optum 360 confirmed 11.9 million patients had been affected, a further 7.7 million LabCorp patients were impacted, and 422,600 BioReference Laboratories patients.
The past week has seen a flurry of breach announcements from other healthcare providers and the victim count has continued to grow. It is not yet known how many more healthcare providers have been affected by the breach. The total could well continue to rise.
While affected clients were informed about the breach in May 2019, very few details about the breach were released. As the investigation continued, affected companies started to find out more about the numbers involved, although many patients have still not been sent breach notification letters. AMCA has sent more than 7 million notifications so far, but the priority has been individuals whose financial information was exposed. It is likely to be a few weeks before all patients receive their notifications.
The full list of healthcare organizations affected by the AMCA data breach are detailed in the table below:
| Healthcare Organization | Records Exposed |
| Quest Diagnostics/Optum360 | 11,900,000 |
| LabCorp | 7,700,000 |
| Clinical Pathology Associates | 2,200,000 |
| American Esoteric Laboratories | 541,900 |
| Carecentrix | 500,000 |
| Sunrise Medical Laboratories | 427,000 |
| BioReference Laboratories/Opko Health | 422,600 |
| CBLPath Inc. | 148,900 |
| Laboratory Medicine Consultants | 147,600 |
| Austin Pathology Associates | 46,500 |
| South Texas Dermatopathology PLLC | 16,100 |
| Pathology Solutions | 13,300 |
| Penobscot Community Health Center | 13,000 |
| Seacoast Pathology, Inc | 10,000 |
| Arizona Dermatopathology | 7,000 |
| Western Pathology Consultants | 4,550 |
| Laboratory of Dermatology ADX, LLC | 4,240 |
| Natera | Unknown |
At almost 25 million records, the AMCA data breach is the second largest healthcare data breach ever reported by some distance, although well short of the 78.8 million record data breach at Anthem Inc.
Senators have been demanding answers about the breach, state attorneys general have launched investigations, and the Department of Health and Human Services’ Office for Civil Rights will be investigating to determine if Health Insurance Portability and Accountability Act (HIPAA) Rules have been violated.
If privacy and security controls are found to be lacking, AMCA is likely to face a sizable financial penalty. OCR can issue fines of up to $1.5 million per HIPAA violation category. Anthem Inc. settled its case with OCR for $16,000,000.
AMCA has already laid off most of its workforce as the majority of its clients have stopped working with the firm. The company has spent millions on the breach response and has filed for Chapter 11 bankruptcy protection.