Texas-based Clinical Pathology Laboratories announced that 2.2 million of its patients were affected by the American Medical Collection Agency (AMCA) data breach. As a result, their protected health information (PHI) were potentially compromised.
AMCA provides Clinical Pathology Laboratories and other healthcare organizations with debt collection services. Therefore, AMCA gets access to the PHI of patients that have collectible payments. The hackers attacked AMCA’s payment website and accessed the website as well as the PHI of patients. The hackers had accessed the website for 8 months before the breach was discovered.
Reports as of July 18, 2019 indicate that the AMCA breach affected five healthcare organizations and over 22 million patients. They include:
- 11.9 million Quest Diagnostics patients
- 7.7 million LabCorp patients
- About 422,000 BioReference Laboratories patients
- 13,000 Penobscot Community Health Center, Maine patients
- 2.5 million Clinical Pathology Laboratories patients
AMCA advised the listed healthcare providers about the breach in May, which is two months after the discovery of the incident. But AMCA only provided limited information concerning the breach because the investigation was still ongoing.
Clinical Pathology Laboratories got the notification in May but without the information on the patients affected, thus delaying its breach announcement. AMCA just provided Clinical Pathology Labs the names of patients affected and the types of information possibly compromised. The patients’ addresses, birth dates, dates of service, information on the patients’ credit/debit card or banking and account balances.
AMCA started mailing about 34,500 notification letters to the Clinical Pathology Laboratories patients, particularly those who had their personal and financial information exposed. Since then, AMCA has found 2.2 million more patients had their information exposed, although credit/debit card or banking information were not included.
Clinical Pathology Laboratories, like the other healthcare companies, cut off its connections with AMCA. Chapter 11 protection has been filed by AMCA’s parent company. AMCA is currently facing a number of lawsuits while several state Senators are looking for answers. OCR also would like to know what brought about such a major breach and why it was not detected for 8 months. AMCA’s breach response will likewise be questioned. Even if AMCA discovered the breach in March 2019 or earlier, it send notification letters beginning June 4 only.