Lawsuits Filed and Investigations Launched Over AMCA Breach

Since the news about the huge data breach at American Medical Collection Agency (AMCA) went out, there is now over a dozen lawsuits filed by breach victims.

Quest Diagnostics officially announced the breach on June 3, 2019 via a 8-K filing with the Securities and Exchange Commission (SEC). LabCorp followed with a SEC filing on June 4, 2019, then BioReference Laboratories. At present, the number of compromised personal records has gone up to 20 million.

Gemini Advisory’s security researcher discovered the data breach at AMCA when he identified a set of 200,000 payment card numbers being sold on a darknet marketplace. The information contained birth dates and Social Security numbers. Upon notification of AMCA and law enforcement, the hacked systems were secured. Investigators of the incident reported that the hackers were accessing its web payment site for 7 months.

It would seem that the hackers responsible for the breach sought to monetize the stolen information. Hence, many have filed class action lawsuits on behalf of the breach victims. Plaintiffs assert that they suffered harm because of the data breach.

The majority of of the lawsuits name one or more of the three laboratories – Quest Diagnostics, BioReference Laboratories and LabCorp. Some likewise name AMCA and the Optum360. Optum360 was Quest Diagnostics’ business associate. Under certain cases, if a patient did not settle a bill, the patient’s information is sent to Optum360, which passes the information to AMCA for collection.

The other class action lawsuits allege negligence and breach of implied contract because of failure to protect personal data. According to one complaint, the defendant could have used encryption and adopted national and industry standards as required to avoid foreseeable harm to patients. But the defendants did not do it despite having the available funds to implement a security program.

The lawsuits allege different state laws violation and are seeking damages, financial assistance, and penalties to be issued because of the privacy violation

AMCA just sent breach notifications to a small number of the people – most of whom had their financial data exposed. The healthcare companies that shared health data with AMCA still have not received the specifics of people affected. It is likely that the number of affected people filing lawsuits will increase as more breach notification letters are sent.

Besides dealing with the class action lawsuits, state and federal regulators and the Congress are scrutinizing the case and all entities involved. The HHS’ Office for Civil Rights will definitely investigate this breach to find out if HIPAA Rules were violated. To date, the following six state attorneys general are already investigating the breach: New York, Michigan, Minnesota, North Carolina, Connecticut and Illinois.

In case there is a violation of state or federal laws uncovered, financial charges might be issued. Recently this year, multi-state attorneys general charged lawsuits on Medical Informatics Engineering concerning its 2014 data breach. Settlement was reached for $900,000.