PHI of About 12 Million Quest Diagnostics Patients Exposed in AMCA Data Breach

An authorized person hacked into the systems of American Medical Collection Agency (AMCA) in Elmsford, NY, a billing collections provider. The protected health information (PHI) of 11.9 million patients of Quest Diagnostics, one of the biggest blood testing lab in America using AMCA services, may have been viewed and copied.

It’s likely that patients of other healthcare organizatiosn were affected by the breach. This 11.9 million records AMCA breach is the second biggest healthcare data breach ever reported. The biggest breach was reported by Anthem in 2015 with 78.8 million records exposed.

In May 2019, Gemini Advisory researchers discovered the data breach after identifying the payment card details of around 200,000 patients available on a darknet marketplace. Gemini Advisory mentioned that it appeared the September to March 2018 credit card information was from AMCA.

Gemini Advisory advised AMCA concerning the potential breach. There was no response from AMCA. So, Gemini Advisory submitted a report of the breach to law enforcement. In turn, law encforment contacted AMCA to verify the breach.

AMCA is provides billing collection services for Optum360, which is a business associate of Quest Diagnostics and UnitedHealth Group. Quest Diagnostics and Optum360 received breach notifications from AMCA on May 14, 2019.

As per AMCA, patient data was compromised from August 1, 2018 to March 30, 2019. Hired computer forensics professionals looked into the breach to find out who were affected. AMCA is convinced that about 11.9 million Quest Diagnostics patients were affected. But the information of patients from other entities besides Quest Diagnostics is possibly compromised.

The information accessed by the attackers may have included names, private data, financial information, healthcare data and Social Security numbers. Lab test results were not compromised.

Although Quest Diagnostics and Optum360 is aware of the immensity of the breach, complete information about the affected patients is not yet available. Quest Diagnostics likewise noted unverified accuracy of the data from AMCA.

Quest Diagnostics is working closely with Optum360 and will send breach notification letters to the affected persons when data is available.