Impact of AMCA Breach Continues to GrowMore Victims Identified; Allegations Made in Court Filings
The impact of the massive American Medical Collection Agency data breach continues to grow.
See Also: HIPAA Audits: A Revised Game Plan
In recent days, at least two more laboratories that were AMCA clients have issued notification statements saying their patients' data was potentially compromised in the breach.
Meanwhile, court filings related to the parent company of the medical debt collector's recent bankruptcy petition allege a lack of "cooperation and transparency" in the wake of the security incident.
AMCA did not immediately respond to ISMG's request for comment on the latest developments in the breach case and bankruptcy.
Victim Tally Grows
So far, at least a half dozen companies - and more than 22 million individuals - are known to have been impacted by the AMCA breach.
Among the largest victims originally identified are three lab testing firms: Quest Diagnostics, which says nearly 12 million of the patients that is serves were impacted by the breach; LabCorp, which reported 7.7 million patients were affected; and BioReference Laboratories, which said nearly 423,000 of its patients were impacted.
On Monday, Austin, Texas-based Clinical Pathology Laboratories, revealed that more than 2.2 million patients it serves potentially were affected by the incident.
Among the other most recently revealed AMCA clients impacted by the breach are Penobscot Community Health Care, which operates several community health centers in Maine. Last Friday, the organizations began notifying about 13,000 patients that their information may also have been contained in AMCA's systems impacted in the cyberattack.
In addition, a June 12 consumer alert from the Maryland state attorney general's office indicates other companies impacted by the AMCA breach include Connecticut-based post-acute healthcare services provider, Carecentrix (500,000 patients affected), and New York-based Sunrise Laboratories, a unit of Sonic Healthcare, for which no breach tally number has been disclosed yet.
'Drip, Drip, Drip'
Some security and privacy experts predict that additional revelations about companies victimized by the AMCA breach will come to light in the weeks and months to come.
"I am not surprised by the drip, drip, drip of news that is providing us a picture of the full size and scope of this cybersecurity incident," says privacy attorney David Holtzman of security consulting firm CynergisTek.
AMCA is one of the larger of collection agencies serving the healthcare sector, he notes.
"Applying the patchwork of state and federal requirements for reporting breaches to the nationwide reach of AMCA's disclosure of personally identifiable information means months will pass before all the affected healthcare organizations have completed the notifications to individuals, the media and regulators."
In court documents filed Monday by Quest Diagnostics related to the bankruptcy petition by AMCA's parent company, Retrieval-Masters Creditor Bureau, the lab test firm complains about AMCA's lack of "cooperation and transparency" in the wake of the breach and the debt collector's bankruptcy filing.
Quest Diagnostics notes in the court filing that AMCA provided billing collections services to revenue cycle management firm Optum360, which is a Quest contractor. Since learning of the breach, Quest and Optum360 - a unit of the health insurance company UnitedHealth Group - have worked to obtain information from AMCA about the incident, Quest says in its filing.
"Optum has, among other things, sought access to [AMCA's] systems to independently assess the environment, access which [AMCA] has not fully granted; attempted to work with [AMCA] directly to recover the data; and sought to obtain assurances from the AMCA that the data will be maintained securely on an ongoing basis," Quest writes in its court filing. "Unfortunately, Optum has informed Quest that the response from [AMCA's] current management has been inadequate."
Quest alleges that AMCA:
- Refuses to permit Optum's experts to conduct an on-site data security inspection;
- Refuses to transfer a complete copy of Quest's data in a usable format to Optum;
- Agreed to provide but then failed to complete breach notification to the U.S. Department of Health and Human Service's Office for Civil Rights.
Quest's filing also claims that AMCA has "collected in excess of $500,000 of Quest's receivables in the ordinary course of its business, but has not remitted any of these ... funds to Quest."
Other Court Action
In another development, the state of Indiana's attorney general's office on July 10 - with support of several other states' attorneys general - filed a motion to convert AMCA's Chapter 11 bankruptcy petition - which could allow for a restructuring of the company's debt - to Chapter 7, which would call for the company to be liquidated.
That Indiana motion cited AMCA's "lack of intent and inability to reorganize and its lack of transparency in dealing with the fallout from the Incident."
"One lesson to be learned from this fiasco is to ensure that all vendor agreements include provisions for what types of incidents have to be reported your healthcare organization and when that notification must be provided."
—David Holtzman, CynergisTek
In other court filings, the judge handling AMCA's petition for Chapter 11 bankruptcy last week agreed to allow AMCA to sign a services agreement with a software consulting company, End Point Corp, to handle ongoing IT work, ongoing security auditing as well as work related to the breach.
Court documents indicate that the services End Point provides to AMCA "are critical to [AMCA's] ability to complete programming upgrades to its IT systems related to and/or arising from the data breach."
Since the June public revelation of the data breach, more than a dozen class action lawsuits have been filed against AMCA, as well as against some of the company's clients impacted by the incident, including Quest Diagnostics, LabCorp and BioReference Laboratories.
Also, New Jersey's two U.S. senators in June sent a letter to Secaucus, New Jersey-based Quest Diagnostics demanding answers about the AMCA breach.
In addition, the attorneys general of several states have also announced they've launched investigations into the AMCA breach.
Information coming to light in the AMCA bankruptcy suggests circumstances that may turn the breach into a "perfect storm," says health information privacy and security attorney Paul Hales.
The various court filings "show AMCA class action defendants turning against each other," he notes.
"AMCA's tangled connections to covered entity customers and other business associates isn't unusual. It may expose deep-pocket defendants to liability in class actions that have been and will be filed."
Lessons Learned, So Far
Healthcare organizations should take note of lessons already emerging from the AMCA saga, Holtzman says.
"One lesson to be learned from this fiasco is to ensure that all vendor agreements include provisions for what types of incidents have to be reported your healthcare organization and when that notification must be provided," he says.
"Equally important is specifying in your vendor contract how information about incidents involving subcontractors are reported to you and rights to obtain information or investigate such incidents."
Another important lesson is that healthcare organizations should perform risk-based assessments of vendors' information security practices and safeguards, Holtzman adds.
"The more access an organization has to your information system or the sensitivity of the data, the more comprehensive and thorough the examination," he says.