EARLIER THIS MONTH, BioReference Laboratories, Laboratory Corp. of America, and Quest Diagnostics each reported data breaches. The breaches originated with the American Medical Collection Agency (AMCA), which provides payment services to the three lab companies, according to published reports. The number of patients affected from the three incidents is at least 20 million and the breaches occurred over the same time period, August 2018 through March 2019.
On June 3, Quest said 11.9 million customers may have had their protected health information (PHI) compromised from a data breach that Wendy Bost, a spokeswoman for Quest, said originated with the AMCA, Quest’s billing collection service.
7.7 Million Patients
The next day, LabCorp said personal data for about 7.7 million of patients whose information was held at the AMCA were exposed. LabCorp said the AMCA disclosed that it found unauthorized activity on its web-payment page between August 2018 and March 2019.
On June 6, Health IT Security reported that the AMCA had notified BioReference Laboratories (BRLI) of a data breach involving 422,000 BRLI patients.
The AMCA said that the breach compromised data such as patient demographic data, provider names, balance information, credit cards, e-mail addresses, and bank account information. All three lab companies said they have stopped sending new collection requests to the AMCA.
The news of these large breaches of protected health information has suddenly raised the media profile of the AMCA, a company founded in 1977 which is based in Elmsford, N.Y. It provides collection services to clinical labs, hospitals, physicians, and other providers.
Michigan Attorney General
In fact, the Attorney General of Michigan, Dana Nessel, announced that her office would investigate the AMCA. Health IT Security reported that Nessel “said she’ll be sending a letter to [the] AMCA, Quest, and Optum360 (a Quest Diagnostics partner) to gain more insight into the event, although the total number of victims is not yet known.”
The news outlet also wrote that “Nessel is particularly troubled by the length of time the hack was able to continue without being detected by [the] AMCA. For Quest, the exposed data included highly sensitive information like Social Security numbers, and some health information.”
Nessel told Health IT Security that “Quest is only one of [the] AMCA’s medical clients, so it is possible that patient information from other healthcare providers may have also been breached. “We have no idea how far and wide this breach has gone,” she said.