Two More Lab Firms Say They Were AMCA Breach VictimsMassive Data Breach Continues to Get Messier
This story has been updated.
It's been more than two months since lab companies began revealing they had patient data exposed in a data breach at American Medical Collection Agency. But new victim organizations are continuing to emerge, bringing the total to about 18.
In breach notification statements issued last week, Irving, Texas-based Inform Diagnostics and Dayton, Ohio-based CompuNet Clinical Laboratories each disclosed that they too were victims of the AMCA breach.
Inform Diagnostics' Disclosure
Inform Diagnostics, a pathology laboratory services firm, says that on June 30, Retrieval-Masters Creditors Bureau - which does business as American Medical Collection Agency, or AMCA - notified the anatomic pathology services firm "that an unauthorized user had accessed AMCA's server, which contained personal and payment information for a large number of individuals, including a number of Inform Diagnostics' laboratory patients."
Patient information exposed as a result of the incident include first and last names; credit card numbers and other banking information; Social Security numbers; locations and dates of laboratory services; and referring physicians, Inform Diagnostics says.
"Not every type of information was exposed for every patient, and no test results were disclosed as a result of the incident," the company says. "At this time, Inform Diagnostics has no reason to believe that any patient information has been misused."
The Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals, shows that Inform Diagnostics reported the hacking/IT incident to HHS on June 14 as impacting nearly 174,000 individuals.
Although at least 18 AMCA clients have revealed being victims of the AMCA breach, only breach reports by Inform Diagnostics, Natera Inc. - a California-based reproductive services firm, and Penobscot Community Health Center, Inc, a clinic in Maine - appeared on the HHS breach reporting website as of Wednesday.
But on Thursday, the tally also included the breaches reported by LabCorp, affecting nearly 10.3 million individuals, and Optum360 - a Quest Diagnostic vendor, impacting 11.5 million individuals.
A total of more than 23 million patients are estimated to have been affected by the AMCA incident, which appears to be the largest health data breach so far this year.
CompuNet Clinical Laboratory's Statement
In its breach notification statement, CompuNet notes that it learned of the incident on June 5, and that AMCA says unauthorized access to AMCA's systems occurred between Aug. 1, 2018, and March 30, 2019.
"AMCA provided billing collection services for CompuNet through a former joint venture partner, Quest Diagnostics," CompuNet says. Quest Diagnostics has said that about 12 million of its patients were impacted by the AMCA breach.
"Some of the information on AMCA's system relates to services patients received from CompuNet, including some patients' names, dates of birth, dates of medical service, names of labs or medical service providers, referring doctors, health insurance information, and other medical information," CompuNet notes. "In some cases, patients' Social Security numbers, credit card numbers, and bank account information were impacted."
CompuNet CFO Jan Woole tells Information Security Media Group that about 111,000 of the patients it serves were affected by the AMCA breach. "Some of our patients were also notified by Quest and AMCA. However, the letters sent out by AMCA and Quest did not identify CompuNet as the treating entity. We felt it important to let our patients know how they were affected by this incident," she says.
Lawsuits to Be Consolidated?
In the wake of the AMCA breach, at least two dozen class action lawsuits have been filed against AMCA as well as some of its clients affected by the incident. Meanwhile, AMCA's parent company, Retrieval-Masters Creditors Bureau, on June 17 filed a petition for bankruptcy.
"As expected, the AMCA data breach has turned into a legal free-for-all," says Paul Hales, a private practice health information privacy and security attorney who is not involved in the lawsuits.
On July 31, the U. S. Judicial panel on Multidistrict Litigation referred class actions against AMCA, Quest, LabCorp, Bio-Reference and potential actions against other laboratories to U. S. District Judge Madeline Cox Arleo in New Jersey for consolidated pretrial proceedings, he notes.
"Legal questions include: AMCA's data security practices and whether they met industry standards; how the unauthorized access occurred; when defendants knew or should have known of the breach; the investigation into the breach; and the alleged delay in disclosure of the breach by all defendants," he adds.
But despite recent settlements in class actions lawsuits in other large health data breach cases - including Premera Blue Cross and Anthem - Hales says the AMCA breach litigation could prove tougher to settle.
"Quick settlement is unlikely. Stay tuned."
More Victims to Come?
It's not clear how many more victim companies could be revealed in the weeks and months to come.
"Some of the reasons why we think there are so few reports to HHS' Office for Civil Rights are that AMCA has not completed notification to all its clients; that AMCA was a subcontractor to the vendor of a covered entity and the notifications have yet make their way to the covered entity; or that the covered entity has made their own assessment that the probability of compromise to the PHI is low, or that the number the covered entity's patients affected was less than 500 individuals, meaning the report is not due to be filed until the end of the calendar year," says privacy attorney David Holtzman of the security consultancy CynergisTek.
Holtzman says it appears that AMCA had "a complex web of business relationships" that dictate the flow and timing of notifications. "When the vendor to a HIPAA covered entity has a direct relationship, the HIPAA Breach Notification Rule requires a business associate like AMCA to notify the covered entity no later than 60 days following the discovery of a breach," he says.
"What we are discovering is that AMCA was also a subcontractor to another vendor providing services to the covered entity. In these instances, the HIPAA rules could allow 120 days or longer before the covered entity receives notification that their organization's PHI was disclosed. It is possible the 'drip, drip, drip' of breach notifications could continue for some time to come."