A security breach at American Medical Collection Agency (AMCA), a provider of billing services for the US healthcare sector, has now exposed the personal and financial information of over 20 million Americans, possibly more.
The exposed data belongs to Americans who paid laboratory work at various clinical and blood testing labs across the US and used AMCA’s billing portal.
Hack went undetected for months
The breach, first reported by DataBreaches.net, took place after a hacker group compromised AMCA’s IT network and stole payment information, which they later put up for sale on carding forums.
Exposed data included names, home addresses, phone numbers, dates of birth, Social Security numbers, payment card details, and bank account information.
After being confronted about the hack, AMCA officials admitted to the security incident, which they said lasted from August 1, 2018, to March 30, 2019, a period of eight months.
Since officially confirming the breach, several of AMCA’s corporate clients (testing labs) have now also started notifying their own customers of their billing partner’s security snafu.
The list of impacted testing laboratories includes Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients).
Lots of problems ahead
Neither AMCA nor its five customers have yet to notify all users impacted by the breach, which may pose issues for all involved parties. AMCA initially claimed that only 200,000 patients had their data stolen by hackers, but subsequent SEC filings by testing laboratories contradicted its initial statements.
Following the bungled disclosure of these incidents, tens of lawsuits have been filed around the US, against AMCA, Quest, and LabCorp.
US authorities have also opened investigations into the AMCA breach, with attorneys general from Connecticut and Illinois being the first to do so.
In Washington, US Sen. Mark Warner (D-VA) also sent a letter to Quest Laboratories demanding the company explain its vetting process for selecting AMCA as a billing vendor, and what requirements a third-party vendor has to pass.
Democratic New Jersey Sens. Cory Booker and Bob Menendez also sent letters to AMCA, Quest, and LabCorp, seeking official answers on how a breach of this severity went undetected for eight months.
Whatever comes next, it’s certainly not good for AMCA, with authorities and the courts expected to come down hard on the billing vendor.
More data breach coverage: