Maine’s Penobscot Community Health Center reports 13,000 patients were impacted by the billing services vendor AMCA data breach, which claimed victims from Quest, LabCorp, and BioReference.
Penobscot Community Health Center in Maine recently began notifying about 13,000 patients that their data was potentially compromised in an eight-month long hack on its billing services vendor, American Medical Collection Agency.
In early June, AMCA began notifying clients of a system breach that impacted several of its health clients. According to the notice, a hacker gained access to its system from August 1, 2018 to March 30, 2019.
The system contained a trove of information that varied by client, from demographic details to medical data and some Social Security numbers. So far, up to 12 million Quest Diagnostics patients, 7.7 million LabCorp patients, and 422,000 BioReference patients were all included in the breach victim tally.
AMCA Files Chapter 11 After Data Breach Impacting Quest, LabCorp
Quest, LabCorp, AMCA Face Breach Lawsuits, State Investigations
Sens. Demand AMCA, Quest, LabCorp Explain Failure to Detect Breach
PCHC contracted with AMCA for its billing collection services. According to the notice, AMCA notified the provider of the eight-month breach on May 15, 2019. The data compromised during the hack included patient names, dates of birth, provider name, and other medical data. Some credit card information was also potentially breached.
AMCA did not store any PCHC health records, diagnoses, or treatment details. And not all PCHC patients were included in the security incident, only patients whose accounts were sent to AMCA for debt collection. Patients will receive two years of free credit monitoring and identity theft protection services.
PCHC has since stopped doing business with AMCA and is currently taking steps to retrieve and secure all patient data contained in the vendor’s systems.
The breach completely devasted the parent company of AMCA, Retrieval-Masters Creditors Bureau. The vendor filed for Chapter 11 bankruptcy just weeks after the breach notifications went public, calling it a “cascade of events” with “enormous expenses that were beyond the ability of the debtor to bear.”
The vendor, Quest, and LabCorp are currently facing dozens of lawsuits and state investigations as the “wrongful disclosure has harmed plaintiffs and the classes believed to include millions of individuals.”
Along with claiming Quest, LabCorp, and AMCA failed to notify patients in a timely fashion, the lawsuit alleged the vendors “apparently allowed hackers to access plaintiffs’ and other class members’ sensitive information for at least seven months and did nothing to let the victims know about the data breach for nearly a year after it began.”
“While it is uncertain whether plaintiff and class members’ sensitive and HIPAA-protected medical information was compromised, the fact that the breach occurred and that cybercriminals obtained account information of plaintiffs and class members makes it likely that private medical information will or has been disclosed already on the ‘dark web,’” according to the lawsuit.
State attorneys general from Connecticut, Illinois, and Michigan have all opened inquiries into the breach, as well as Democratic New Jersey Senators Cory Booker and Bob Menendez, to determine just how the hack went undetected for nearly eight months.
Source : Healthit Security