Multiple Class Action Lawsuits Filed in AMCA Breach

More Than a Dozen Lawsuits in Several States re: Breach Impacting 20 Million Patients
Multiple Class Action Lawsuits Filed in AMCA Breach

A flurry of class action lawsuits has already been filed by individuals alleging they have been injured by a data breach at American Medical Collection Agency, which impacted more than 20 million patients of at least three medical laboratory testing firms.

See Also: Identity Security Clinic

As of Monday, more than a dozen class action lawsuits had already been filed in several U.S. federal courts within one week of news breaking of an “unauthorized access” breach at AMCA that affected information of nearly 12 million Quest Diagnostics patients; 7.7 million LabCorp patients, and nearly 423,000 BioReference Laboratories patients.

Each of those three medical testing laboratory companies disclosed on June 3 being impacted by the AMCA breach in individual 8-K filings with the Securities and Exchange Commission.

In Quest Diagnostics’ situation, the Secaucus, N.J.- based firm said AMCA provides billing collections services to revenue cycle management firm Optum360, which is a Quest contractor.

The lawsuits include class action complaints naming all of the companies as defendants. In a few cases, lawsuits were filed naming AMCA and only one or two of the medical testing firms, and/or Optum360 as defendants.

Lawsuits’ Allegations

What the lawsuits all have in common are allegations by plaintiffs – patients of the labs whose information at some point had been turned over to AMCA for bill collecting - who say they’ve been harmed by the AMCA data breach.

”When certain customers do not pay their invoices within the requested time period, Quest will reach out to Optum360, who will provide information to AMCA to collect the balance,” one of the complaints against AMCA, Quest Diagnostics, Optum360 LabCorp, and BioReference notes.

“Consumers place value in data privacy and security. However, defendants failed to take all necessary precautions to secure the personal information given to them by consumers,” the complaint notes.

”Defendants … had a duty to plaintiff and class members to properly secure personal information, encrypt and maintain such personal information using industry standard methods, utilize available technology to defend its systems from invasion, act reasonably to prevent foreseeable harms to plaintiff and class members,” that complaint filed June 7 in a New York federal court notes.

“Defendants had the resources necessary to prevent the data breach but neglected to adequately invest in security measures, despite their obligation to protect such information,” the suit alleges.

The lawsuits allege a variety of claims, including negligence and breach of implied contract by the defendants in failing to protect the personal information of those individuals impacted by the data breach.

“The filing of these class action lawsuits will also likely result in the turning over documents and materials concerning the information security practices of the organizations, the relationships between the parties and results of investigations into who knew what and when.”
—David Holtzman, CynergisTek

Collectively, the lawsuits also allege a variety of state law violations, including the New York General Business Law, the Florida Deceptive and Unfair Business Practices Act, and the California Medical Information Act.

Among other things, the various lawsuits are seeking damages, penalties, and other monetary relief for those impacted by the breach.

AMCA Account

According to the SEC filings of the breached companies, AMCA says it learned from a third-party security firm of unauthorized activity on AMCA's web payment page occurring between August 1, 2018, and March 30, 2019.

"Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page," an AMCA spokesman tells Information Security Media Group.

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor and retained additional experts to advise on, and implement, steps to increase our systems' security. We have also advised law enforcement of this incident,” he says.

According to a breach report AMCA filed to North Carolina’s attorney general, for which ISMG was provided a copy, AMCA says it discovered the "hacker/unauthorized access" breach on March 20. AMCA says in the report that security measures had been previously taken to protect the data that was compromised.

"Certain information was encrypted. However the encryption keys were compromised," the report notes.

According to the SEC filings of the companies impacted by the AMCA breach, potentially compromised data includes patients’ healthcare and financial information, ranging from name, date of birth, address, phone, date of service, provider, balance information, and in some cases bank account information and Social Security numbers.

”Data breaches and identity theft have a crippling effect on individuals and detrimentally impact the entire economy as a whole,” one of the class action complaints against AMCA and the other companies notes. “Medical databases are especially valuable to identity thieves.”

Prognosis of Suits

The lawsuits filed so far are the first of many more that will undoubtedly get lodged against the AMCA and the other companies, some legal experts predict.

“Time will tell whether these … class action lawsuits have merit,” says privacy attorney David Holtzman of security consultancy CynergisTek.

”Class action litigators will often file lawsuits containing general allegations and claims of damage as part of a ‘first-in-line’ strategy that they believe will benefit their clients as well as enhance any attorney's fees that might be awarded,” he notes.

“The filing of these class action lawsuits will also likely result in the turning over documents and materials concerning the information security practices of the organizations, the relationships between the parties and results of investigations into who knew what and when.”

Government Scrutiny

In addition to the class action lawsuits being filed, AMCA and the affected healthcare companies are also facing intense scrutiny by state regulators and some members of Congress in the wake of the breach.

As least six state attorneys general - in Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut – have said their offices are investigating the breach.

Also, New Jersey's two U.S. senators on June 5 sent a letter to New Jersey-based Quest Diagnostics demanding answers about the AMCA breach.

On a federal level, the breach case involving AMCA also brings to light issues involving HIPAA covered entities and business associate relationships, notes privacy attorney Iliana Peters of the law firm Polsinelli.

”I think the most important issue moving forward from both a litigation and regulatory standpoint is the HIPAA business associate liability, which stems from the vendor/HIPAA business associate relationship here and in many other cases about which state and federal regulators are investigating,” she says.

The Department of Health and Human Services’ Office for Civil Rights recently issued guidance on business associate liability, she notes. “It does seem like an issue that at least OCR is particularly interested in from an enforcement perspective. I will be particularly interested to see if the issue also comes up with state regulators or with litigation moving forward.”

Early Lessons

In the meantime, important lessons, especially about vendor security risk management are already emerging from the breach, despite scant details being revealed by AMCA about the incident so far.

“The key lessons to be learned are that healthcare organizations must perform risk based assessments of vendors’ information security practices and safeguards,” Holtzman says. “The more access an organization has to your information system or the sensitivity of the data, the more comprehensive and thorough the examination.”

In addition, as Quest Diagnostics’ relationship with Optum360 – which used AMCA for bill collecting - illustrates, downstream vendors handling sensitive data must also be closely scrutinized, Holtzman says.

”Ask your vendor or contractors to identify and perform vendor management assessment of the subcontractors or vendors they hire to create or maintain your organization's personally identifiable data,” he says.

“Ensure that all vendor agreements include provisions for what types of incidents have to be reported your healthcare organization and when that notification must be provided. Equally important is specifying in your vendor contract how information about incidents involving subcontractors are reported to you and rights to obtain information or investigate such incidents.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.