AMCA Data Breach Victims Now Over 20 Million as BioReference Laboratories Confirmed Breach Impact

The American Medical Collections Agency (AMCA) data breach victims has now gone over 20 million with the confirmation of another healthcare organization that it was affected by the incident.

BioReference Laboratories, a laboratory and clinical testing company based in New Jersey, lately confirmed the exposure of roughly 422,600 of its clients’ personal information because of the AMCA data breach.

BioReference Laboratories together with LabCorp (7.7 million records) and Quest Diagnostics/Optum360 (11.9 million records) now register a total number of 20,022,600 records compromised. It is likely that the number will continue to go up as the investigation moves along and more healthcare organizations receive notification of the data breach.

BioReference Laboratories verified the breach with the filing of an 8-K Security and Exchange Commission (SEC) on Monday. The subsidiary of OPKO Health received breach notifications on June 3, 2019.

The AMCA breach occurred from August 1, 2018 to March 30, 2019. Hackers accessed the AMCA web payment site, which impacted the information of a number of healthcare clients.

The compromised information of patients of BioReference Laboratories testing services included names, addresses, telephone numbers, birth dates, dates of service, email address, health insurance information, balance data, and bank account details. Social Security numbers, healthcare data, test findings and passwords/security Q&A were not compromised.

AMCA confirmed its notification of around 6,600 BioReference Laboratories customers whose financial data were exposed and offer of two-year free credit monitoring and identity theft protection services.

To date, AMCA only provided basic information about the breach. Details of the affected individuals are not yet available so no breach notification letters has been sent.

BioReference Laboratories explained that as soon as AMCA is able to provide additional information about the breach, it will take additional steps. BioReference Laboratories also remarked that it has not sent collection requests to AMCA since October 2018 and it has submitted a request to stop the process of pending collection requests.

A number of state Attorneys General have launched investigations of the breach and have started contacting AMCA and the breached entities for more information.

Michigan Attorney General Dana Nessel is specifically concerned about the time frame hackers accessed the AMCA payment page prior to the detection of the breach and whether the attack was intended to acquire sensitive patient data, which puts affected persons at a high risk of fraudulence.

Minnesota Attorney General Keith Ellison, New York Attorney General Letitia James, and North Carolina Attorney General Josh Stein likewise confirmed their conduct of an investigation into the data breach. Two New Jersey senators are asking New Jersey-based Quest Diagnostics questions about the breach. But the affected companies still have limited information from AMCA about the exact situation.

AMCA just stated that it is taking steps to enhance security. The web payments page was taken offline, services were migrated to a different third-party vendor, and a cybersecurity company was hired to evaluate cybersecurity defenses and install more security controls. The forensics specialists are still investigating the breach and identifying all the affected data.