A hacker accessed the systems of American Medical Collection Agency (AMCA) based in Elmsford, NY, a billing collections company. The breach may have resulted to the viewing and copying of the protected health information (PHI) of 11.9 million Quest Diagnostics patients. Quest Diagnostics is a large blood testing laboratory in America that uses AMCA services.
It’s possible that the breach could affect other healthcare organizations’ patients. This breach is the second biggest healthcare data breach ever reported with about 12 million records exposed. The biggest is the 78.8 million record data breach of Anthem in 2015.
Researchers at Gemini Advisory discovered the data breach in May 2019 when they found the payment card information of about 200,000 patients being sold on a darknet marketplace. Gemini Advisory said that the credit card information seem to have come from AMCA, which was obtained from September 2018 to March 2019.
Gemini Advisory informed AMCA regarding the potential breach, but did not receive any response. Then, Gemini Advisory reported the incident to law enforcement, which got into contact with AMCA to validate the occurrence of a breach.
AMCA is a billing collection services provider of Optum360, a business associate of Quest Diagnostics and health insurer UnitedHealth Group. AMCA informed Quest Diagnostics and Optum360 concerning the breach incident on May 14, 2019.
According to AMCA, a breach caused patient data exposure from August 1, 2018 to March 30, 2019. Computer forensics specialists investigated the breach to determine the exact number of patients affected. AMCA believes that there were about 11.9 million Quest patients affected by the breach. AMCA also stated that the compromised system included the information from other entities aside from Quest Diagnostics.
The attackers may have accessed the following information: names, personal data, Social Security numbers, financial details, and medical data. No lab test results were included.
Although Quest Diagnostics and Optum360 know about the enormity of the breach, they still don’t have the full information of the patients affected. Quest Diagnostics also mentioned the accuracy of the data AMCA provided is still not yet verified.
Quest Diagnostics made a statement of its close coordination with Optum360. Notification letters will be sent to all affected persons when complete information from AMCA is available.