A fourth clinical lab impacted by a security breach at a third-party billing collections firm has come forward.
Clinical Pathology Laboratories, based in Austin, Texas, says 2.2 million patients may have had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information impacted by a security breach that occurred at the American Medical Collection Agency.
The victims of the massive AMCA breach include Quest Diagnostics, LabCorp and Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc. With the inclusion of Clinical Pathology Laboratories' patients, the total number of patients' data potentially exposed by the breach is now over 22 million.
The clinical lab said in a press release that AMCA notified the company about the security incident in May 2019 after learning about the breach in March.
AMCA sent notification letters to approximately 34,500 Clinical Pathology Laboratories patients informing them that their personal information, as well as credit card or banking information, may have been compromised, the company said.
Based on the investigation and the information provided by AMCA, Clinical Pathology Laboratories estimates that the personal information of approximately another 2.2 million patients may have been compromised, but not banking or credit card information.
AMCA told Clinical Pathology Laboratories that patients' social security numbers were not involved in the incident.
The clinical lab company blames AMCA for not providing more details on the breach when it was disclosed in May.
"At the time of AMCA's initial notification, AMCA did not provide CPL with enough information for CPL to identify potentially affected patients or confirm the nature of patient information potentially involved in the incident, and CPL's investigation is on-going," the company said.
"CPL takes the security of its patients' information very seriously, including the security of data handled by vendors. As a result of the investigation, CPL is no longer using AMCA for collection efforts," the company said in the press release.
Quest Diagnostics disclosed on June 4 that 11.9 million customers may have had their medical and financial information exposed due to the AMCA data breach. LabCorp revealed the next day that 7.7 million patients' accounts at AMCA were stored in the vulnerable computer system and may also have been exposed.
BioReference then reported that it was hit, with approximately 422,600 patients' data stored in the affected AMCA system. That pushed the breach past the 20 million patient mark.
Maine's Penobscot Community Health Center also said it is notifying 13,000 patients that their data was potentially compromised in the AMCA security incident.
AMCA's parent company, Retrieval-Masters Creditors Bureau, Inc., voluntarily filed for Chapter 11 bankruptcy protection in the Southern District of New York on June 17.
According to the Chapter 11 declaration, after 40 years in business with no known data security incidents of any kind, the company became aware in March of what turned out to be a major data breach that apparently had occurred sometime during the prior year.
AMCA first became aware of the potential security incident when a disproportionate number of credit cards that interacted with the company's web portal were linked to fraudulent transactions, according to the filing.
AMCA shut down its web portal to prevent any further compromises of customer data and engaged outside consultants who were able to confirm that its servers had been hacked as early as August 2018.
A result of the discovery of the data breach and its aftermath, AMCA suffered a severe drop-off in its business.
The breach resulted in enormous expenses, the company said in its Chapter 11 filing, including hiring IT professionals and consultants from three different firms to identify the source of the breach, diagnose its cause and implement appropriate solutions. To date, these expenses alone cost approximately $400,000.
The company also has spent more than $3.8 million to meet certain legal requirements and regulatory obligations, including notifying 7 million individuals by mail that their information may have been accessed.
The company also had to reduce its workforce from 113 to 25 employees, according to the filing.
AMCA said it filed the chapter 11 petition in order to allow it "the breathing room to appropriately evaluate its pool of remaining assets and liabilities, cost-effectively respond to regulatory demands, and ultimately, to wind-up of its business in an orderly fashion through a liquidating chapter 11 plan," according to the chapter 11 declaration.
Victims of the AMCA data breach have filed dozens of lawsuits against LabCorp and Quest Diagnostics for failing to notify patients in a timely manner and protect patients' sensitive data.