Clinical Pathology Laboratories based in Texas recently learned that the data breach at American Medical Collection Agency (AMCA) affected its 2.2 million patients potentially compromising their protected health information (PHI).
AMCA is a company that provides a lot of healthcare companies with debt collection services. As a provider of this service, AMCA receives the PHI of patients who have collectible bills. The cyberattack on the payment website of AMCA made it possible for hackers to access the site, not to mention the patients’ PHI. Prior to the discovery of the breach, the hackers had been accessing the site for 8 months.
As of July 18, 2019, it’s confirmed that the breach affected five AMCA clients: Quest Diagnostics and its 11.9 million patients; LabCorp and 7.7 million records of patients; BioReference Laboratories and about 422,000 of its patients; and Penobscot Community Health Center in Maine with its 13,000 patients. In total, over 22.2 million patients had been affected by the AMCA breach.
AMCA notified all of the mentioned healthcare providers in May, two months after AMCA knew about the breach. Nonetheless, AMCA initially gave only limited data regarding the breach as the investigation progressed.
Clinical Pathology Laboratories received the notification in May but there was not enough information regarding the patients affected, so it delayed its breach announcement. AMCA recently confirmed to Clinical Pathology Labs the names of those affected as well as the types of information potentially compromised, which include their addresses, dates of birth, dates of service, credit/debit card or banking details and account balances
AMCA began sending notification letters to the patients of Clinical Pathology Laboratories. About 34,500 letters were already sent to those whose personal and financial data were exposed. AMCA has since found 2.2 million patients more who had their information exposed, though there was no credit/debit card or banking details involved.
Just like the other affected healthcare organizations, Clinical Pathology Laboratories ended its association with AMCA. The parent company of AMCA already filed for Chapter 11 protection. Several lawsuits against AMCA had been filed. A number of state Senators are demanding answers. OCR also wants to find out what caused such a serious breach and how it escaped detection for 8 months. The breach response will also be inquired. Though the breach was discovered in March 2019 or sooner, notification letters were only sent starting June 4.