AMCA breach may have exposed data on 7.7M LabCorp patients

A security breach at a third-party billing collections firm that did business with Quest Diagnostics may have also exposed the personal and financial data on 7.7 million LabCorp customers, the medical testing company said Tuesday.

In a filing Tuesday with the Securities and Exchange Commission, LabCorp said it was recently notified about a security breach that occurred at the American Medical Collection Agency, between August 1, 2018, and March 30, 2019. AMCA is an external collection agency used by LabCorp and other healthcare companies.

LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp, the company said in the filing.

LabCorp's confirmation of the data breach comes one day after medical testing company Quest Diagnostics revealed that 11.9 million customers may have had their medical and financial information compromised due to the AMCA breach.

AMCA is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed, LabCorp said in the filing. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them, the company said.

RELATED: Healthcare breach of 1.5M records made worse by notifications sent to wrong addresses

Among the information on its 7.7 million customers stored in the AMCA affected systems, that data could include first and last name, date of birth, address, phone, date of service, provider and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA, LabCorp said.

LabCorp said it provided no laboratory results or diagnostic information to the collections firm. AMCA also doesn’t store Social Security numbers and insurance identification information for LabCorp consumers, LabCorp said.

LabCorp provides diagnostic, drug development and technology-enabled solutions for more than 120 million patient encounters per year. LabCorp typically processes tests on more than 2.5 million patient specimens per week, according to the company.

AMCA is continuing to investigate the security incident and has taken steps to increase the security of its systems, processes, and data, according to LabCorp's filing.

RELATED: Quest Diagnostics data breach leaves 34,000 vulnerable

"LabCorp takes data security very seriously, including the security of data handled by vendors. AMCA has informed LabCorp that it intends to provide the approximately 200,000 affected LabCorp consumers with more specific information about the AMCA Incident, in addition to offering them identity protection and credit monitoring services for 24 months," the company said.

Once it was notified of the AMCA Incident, LabCorp said it stopped sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp consumers.

LabCorp was hit with a cyber attack back in July 2018 that the company claimed involved "a new variant" of ransomware. In November, the Department of Justice (DOJ) handed down its first-ever indictment for the ransomware and extortion scheme that targeted LabCorp, Allscripts and several healthcare providers.

Quest Diagnostics reported in its SEC filing Monday that AMCA notified the company May 14 of potential unauthorized activity on AMCA’s web payment page 

On May 31, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients, including certain financial data, Social Security numbers and medical information but not laboratory test results, Quest Diagnostics said in a press release about the security incident.

AMCA released a statement Monday evening confirming that the company is investigating a data incident involving an unauthorized user accessing its system. The company received word from a security compliance firm that works with credit card companies of a possible security compromise.

AMCA said it conducted an internal review, and then took down its web payments page.

"This speaks to a number of continuing and, sadly, growing issues in healthcare," David Finn, executive vice president of strategic innovation at cybersecurity firm CynergisTek, told FierceHealthcare. "First, it is becoming more common for a law enforcement official or security consultant to be calling about a breach rather than the organization discovering the breach on their own."

RELATED: Quest Diagnostics breach may have exposed data of 11.9M patients

"That would be bad enough, but in the hyper-connected world of healthcare, we have an extreme case of 'weakest link' syndrome—you can be doing everything right and a critical vendor or contractor can introduce threats, vulnerabilities or become the vector for the 'bad guys,'" Finn said.

Supply chain breaches are a growing source of breaches and have been a growing trend since 2018 and that trend is clearly continuing, Finn said.

"I don’t believe this will be the last such announcement related to AMCA," Finn added. " As soon as Quest announced their breach on June 3, every organization using this specific collection agency, or any collection agency for that matter, should’ve started a deep dive into those vendors.  Better yet, every covered entity should’ve started this process years ago, specifically 2005 when the Privacy Rule went into effect, to assess and continually validate the security status of their vendors."

Two weeks ago, the Department of Health and Human Services (HHS) published a fact sheet on the direct liability of business associates under HIPAA. The fact sheet outlines the provisions for which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.

In 2013, under the authority granted by the HITECH Act, the Office for Civil Rights within HHS issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. 

Under that HIPAA Omnibus Rule, business associates are responsible for the violations committed by their contractors and subcontractors, Finn said.