Yet Again, More Victims Added to AMCA Breach Tally'It's Like Watching a Train Wreck in Slow Motion'
This story has been updated.
The list of laboratories and other healthcare clients affected by the data breach at American Medical Collection Agency continues to grow – as does the number of patients whose data may have been exposed.
At least nine more companies in the last few days have revealed that have been notified by AMCA that the data on a combined total of nearly 1 million of their patients was potentially exposed by a data breach the debt collector discovered on March 21.
So far, at least 16 client companies and more than 23 million patients are estimated to have been affected by the incident, which appears to be the largest health data breach of the year.
”It's like watching a train wreck in slow motion,” says privacy attorney David Holtzman of the security consulting firm CynergisTek. “It’s safe to say that we have not heard the last of the growing tally of healthcare providers whose patient data was exposed through this breach.”
On June 17, Retrieval-Masters Creditors Bureau – the parent company of AMCA - filed a petition in a New York federal bankruptcy court seeking approval for an "effective transition into Chapter 11 and to provide the best opportunity for a cost-effective and orderly liquidation." (See: AMCA Bankruptcy Filing in Wake of Breach Reveals Impact).
AMCA is one of the larger of collection agencies serving healthcare organizations, including clinical laboratories, hospitals and physicians, Holtzman says. “The likely cause for the desultory notification process is that AMCA is having difficulty completing an inventory of the data affected by the cybersecurity incident,” he adds.
Among the latest firms to be disclosed, and the number of their patients affected, are:
- American Esoteric Laboratories, a medical testing lab based in Memphis, Tenn. – about 542,000 patients;
- CBL Path Inc., a pathology lab based in Rye Brook, New York -149,000 patients;
- Laboratory Medicine Consultants, a lab in Las Vegas - 148,000 patients;
- Austin Pathology Associates, a lab based in Austin, Texas - 47,000 patients;
- Pathology Solutions LLC, a lab in Eatontown, N.J. - 13,000 patients;
- Seacoast Pathology, a lab in Exeter, N.H. - 10,000 patients;
- Arizona Dermatopathology, a Scottsdale, Arizona-based skin pathology lab - 7,000 patients;
- Western Pathology Consultants, a Reno, Nevada-based lab - 5,000 patients;
- Natera Inc., a reproductive services firm in San Carlos, Calif., - 3,000 patients.
Other Affected Clients
At least seven other companies are known to have been impacted by the AMCA breach.
Among the largest victims originally identified are Quest Diagnostics, which says nearly 12 million of the patients that is serves were impacted by the breach; LabCorp, which reported 7.7 million patients were affected; and BioReference Laboratories, which said nearly 423,000 of its patients were impacted.
Last week, Austin, Texas-based Clinical Pathology Laboratories also revealed that more than 2.2 million patients it serves potentially were affected by the incident. Also, last week, Penobscot Community Health Care, which operates several community health centers in Maine, began notifying about 13,000 patients that their information may also have been contained in AMCA's systems impacted in the cyberattack.
In addition, a June 12 consumer alert from the Maryland state attorney general's office indicates other companies impacted by the AMCA breach include Connecticut-based post-acute healthcare services provider, Carecentrix, with 500,000 patients affected, and New York-based Sunrise Laboratories, a unit of Sonic Healthcare, for which no breach tally number has yet been disclosed.
Largest Health Data Breach So Far in 2019
The various breach notification statements issued by the affected clients note that AMCA says the unauthorized activity on its systems occurred between Aug. 1, 2018, and March 30, 2019.
Based on the notification statements issued by its affected clients, the AMCA incident appears to be the largest health data breach so far this year. But as of July 25, only one victim entity - Natera - had a breach report for the AMCA incident posted on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website. Commonly known as the “wall of shame,” the website lists health data breaches impacting 500 or more individuals.
HHS’ Office for Civil Rights, which compiles the list, declined to comment to Information Security Media Group on whether the agency has received any breach reports related to the AMCA incident.
Under the HIPAA breach notification rule, organizations have 60 days to report breaches that affect 500 or more individuals. But breach reports are not posted to the wall of shame until OCR has reviewed the reports and confirmed the details.
"OCR can - and should - conduct an investigation into the circumstances that led to the cybersecurity incident and resulting breach that has exposed the sensitive health and financial information of millions of consumers."
—David Holtzman, CynergisTek
In a court filing last week by Quest Diagnostics – AMCA’s largest client victim – the laboratory testing firm complained that AMCA “agreed to provide - but then failed to complete breach notification” to OCR.
The Quest Diagnostics court filing was related to AMCA’s parent company’s bankruptcy petition, which cited that the data breach suffered by the Elmsford, New York-based debt collection agency has resulted in "enormous expenses that were beyond the ability of [the company] to bear.”
An attorney representing AMCA in its legal issues involving the breach did not immediately respond to ISMG’s request for comment on the latest developments.
Breach Notification Duties
Holtzman notes that the HIPAA Breach Notification Rule “requires a business associate like AMCA to notify the covered entity no later than 60 days following the discovery of a breach. Likewise, the HIPAA Security Rule requires similar notification by the business associate to the covered entity when there has been a security incident.”
Most, but not all, state laws similarly require that the vendor who has had a breach notify the data owner, he adds.
“One way to think about Quest's complaint is that either its business associate AMCA waited too long to report the breach to Quest, or AMCA has not complied with a contractual arrangement in which the business associate was delegated the responsibility to report breaches directly to OCR,” Holtzman says.
OCR potentially could take enforcement action against AMCA if an investigation by the agency determines that it failed to notify Quest and the other covered entities affected by their breach in a timely manner, he adds. “It is doubtful that AMCA had any obligation under the HIPAA Breach Notification Rule to report the breach directly to OCR.”
Despite the bankruptcy filing, “OCR can - and should - conduct an investigation into the circumstances that led to the cybersecurity incident and resulting breach that has exposed the sensitive health and financial information of millions of consumers,” Holtzman says.
In 2018, OCR entered into a resolution agreement with FileFax after the firm had been liquidated.