Debt Collection Company Hack May Affect 20+ Million Patients

Aweb payment page operated by American Medical Collection Agency
(AMCA-Elmsford, NY) has been hacked and may have exposed personal data on 20+ million patients from at least three commercial lab companies: Quest Diagnostics, LabCorp and BioReference Labs. AMCA, which also does business under the name Retrieval-Masters Credit Bureau, is a third-party debt collector with a reputation for aggressively pursuing patients for past due bills.

The hack was initially discovered in late February by the web payment
security monitoring firm Gemini Advisory (New York City), when they
found credit card information from patients linked to AMCA being sold
on a darknet marketplace. Gemini believes the AMCA hack may turn out
to be the largest medical breach of 2019.

Quest Diagnostics says that it was notified by AMCA of the data breach on May 14. AMCA said that an “unauthorized user” had gained access to social security numbers, credit card numbers, bank account information and other sensitive data from up to 11.9 million Quest patients between August 1, 2018 and March 30, 2019. Quest says that patient lab test results are not provided to AMCA and were therefore not affected by the hack. Quest has suspended sending collection requests to AMCA.

LabCorp says the data breach may have affected 7.7 million of its patients referred to AMCA. LabCorp has ceased sending new collection requests to AMCA and stopped the agency from working on any of its pending collection requests.

OPKO Health Inc. says that 422,600 of its patients may have been impacted by the hack through its subsidiary, BioReference Laboratories (Elmwood Park, NJ). BioReference has not sent any new collection requests to AMCA since October 2018, and has requested that it stop working on any pending collections.

In a statement, AMCA said it was notified of a potential data breach by a security compliance firm (i.e., Gemini) that works with credit card companies, which resulted in the collections agency conducting an internal review and then taking down its web payment page. As of early June, Gemini said that it can verify more than 200,000 compromised payment records related to the breach, and that more records are continually being added to dark web marketplaces.

Meanwhile, at least six state attorneys general—in Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut—are now investigating the breach.