Third SEC Filing on AMCA Data Breach, Bringing Total to Over 20M Accounts Stored on Breached System

On Thursday, insideARM reported that a large data breach occurred at American Medical Collection Agency (AMCA), a healthcare collection agency. Two of AMCA’s clients, LabCorp and Quest Diagnostics, filed disclosures with the U.S. Securities and Exchange Commission (SEC) that AMCA’s data breach compromised their patients’ information. A third company, OPKO Health Inc., has also come forward, stating that the breach impacted their patients’ data as well.

OPKO Health’s SEC disclosure about the incident, filed on June 6, 2019, is very similar to the disclosures reported by LabCorp and Quest Diagnostics earlier last week. The breach occurred between August 1, 2018, and March 30, 2019, through unauthorized access to AMCA’s web payment page. AMCA notified BioReference Laboratories Inc., a subsidiary of OPKO Health Inc., that the compromised system stored personal data for approximately 422,600 BioReference patients—AMCA is notifying 6,600 of these patients that the breach may have impacted their information. The data stored included credit card and bank account information, email addresses, patient name, date of birth, address, phone number, date of service, provider, and the balance due. The system did not store social security numbers.

insideARM Perspective

This is a sobering story. Data security is a serious issue for debt collectors, specifically due to the sensitive nature of the information that debt collectors receive about consumers. Between the three disclosures thus far, we know that the compromised system stored information of over 20 million consumers and notices have been sent to at least 206,000 consumers potentially impacted by the breach (Quest Diagnostics’ SEC disclosure did not state how many consumers AMCA will notify about the incident). We continue to watch to see if other companies come forward about being impacted by this incident.