AMCA Breach Victim Count Continues to GrowMore Affected Labs Revealed; Several Breach Reports Show Up on Federal Tally
The American Medical Collection Agency breach continues to grow messier, with more lab companies being added to the victim count.
Meanwhile, victim companies' breach reports are starting to show up on the federal health data breach tally.
Based on announcements made so far, it appears that more than 21 companies and at least 24 million individuals were affected by the AMCA breach, which apparently makes it the largest health data breach reported this year. And it's likely that more victim companies will be revealed in the weeks to come.
Aurora Diagnostics Affiliation
Laboratory of Dermatopathology in Woodbury, New York, and South Texas Dermatopathology in San Antonio, Texas - are among the companies that have recently issued notification statements about being impacted by the AMCA breach.
Laboratory of Dermatopathology says about 4,200 patients were impacted by the AMCA breach, while South Texas Dermatopathology says about 16,000 patients were impacted by the incident.
As of Wednesday, neither of those companies' breach reports were posted on the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals.
Both of those laboratories are affiliated with Palm Beach Gardens, Florida-based Aurora Diagnostics, as are several other companies that have revealed in recent weeks they were affected by the AMCA breach.
Other Aurora Diagnostics-related labs affected include Laboratory Medicine Consultants, Western Pathology Consultants, and Arizona Dermatopathology - which each had previously released a breach notice.
An attorney representing Aurora Diagnostics tells Information Security Media Group that nine covered entities affiliated with Aurora Diagnostics were affected by the AMCA breach. But she declined to identify the four other companies impacted, or the total number of patients affected.
Other Companies Affected
In addition to those Aurora-related laboratories, other companies recently issuing statements about being victims of the AMCA breach include Hicksville, N.Y.-based Sunrise Medical Laboratories Inc. and West Hills, California-based West Hills Hospital & Medical Center.
In its breach notification statement, Sunrise Medical Laboratories says that when AMCA notified Sunrise in May about the breach, the collection agency did not initially provide Sunrise with enough information for it to identify potentially affected patients.
In its statement, West Hills Hospital & Medical Center says it used a company called United WestLabs, Inc. - or UWL - to manage its reference laboratory.
"We recently became aware that AMCA, a collection services agency that UWL and West Hills have used for patient collections services, experienced a security incident affecting one of its web servers," the statement notes. Since learning of the AMCA breach, UWL and West Hills stopped using AMCA's services, it points out.
Retrieval-Masters Creditors Bureau - AMCA's parent company - said in a June bankruptcy petition in a New York federal court that many of its top clients, including Quest Diagnostics and LabCorp, dropped AMCA as a vendor shortly after learning of the AMCA incident.
Federal Breach Tally
As of Thursday, at least nine organizations' breach reports related to the AMCA incident were posted on the HHS breach tally, often called the "wall of shame." Those are:
- Optum360, LLC, a vendor for Quest Diagnostics, reporting 11.5 million individuals impacted;
- LabCorp, 10.25 million;
- Memphis Pathology Laboratory, which does business as American Esoteric Laboratories, 410,000;
- Inform Diagnostics, 174,000;
- Laboratory Medicine Consultants,141,000;
- Penobscot Community Health Center, 13,300;
- Arizona Dermatopathology, 6,000;
- Western Pathology, 4,100;
- Natera, 3,000.
The AMCA breach will have an impact far beyond the organizations directly affected, says independent health information privacy and security attorney Paul Hales.
"The dramatic increase in breaches drives up healthcare costs," he says. "Investigations, legal fees, mitigation and other covered entity expenses add to the cost of care paid by or for patients."
Potential investigations into the AMCA breach by law enforcement authorities may turn up violations of HIPAA and other privacy and security related regulations, Hales says. "Senior management and boards of directors are responsible but often fail to provide effective oversight of an organization's HIPAA compliance program," he notes.
More than a dozen federal class action lawsuits have been filed in several states against AMCA and some of the company's affected clients by affected patients since the breach was publicly revealed in June.
A Complicated Tale
Privacy attorney David Holtzman of the security consultancy CynergisTek says the AMCA breach is shaping up to be unusually complicated.
"AMCA had a complex web of business relationships," he notes. Certain other massive health data breaches, including the one involving health insurer Anthem, have affected a large number of other organizations, he notes. "What seems to be different here is that the affected covered entities are publicly naming AMCA as the root cause ... in their breach notification announcements, more so than what we have seen in past incidents caused by a third-party service provider," he says.
"Some of the factors adding to the complexity and messiness in notifying those affected by the breach is that there appears to have been a failure to inventory and track the individuals whose data had been shared with AMCA, what information had been collected and what data was exposed through the cybersecurity incident," he notes.
The announcements from a number of covered entities claim that AMCA failed to provide them with detailed information on what data had been compromised and the identity of the individuals affected, Holtzman points out. "In addition, it now appears that AMCA was directly notifying individuals whose credit card or debit card data was disclosed. This could sow confusion among consumers who are receiving multiple notifications and from more than one organization."