Over the past 10 days, several more healthcare providers have announced that they have been affected by the data breach at American Medical Collection Agency (AMCA). Quest Diagnostics, LabCorp, and BioReference Laboratories were the first to confirm they had been affected. More than 20 million patient records from those laboratories were exposed in the breach.
Clinical Pathology Associates was also badly affected. 2.2 million of its patients had their personal information exposed. More than a dozen other healthcare companies have now confirmed that they have received notification from AMCA that their patients’ data was also involved.
As it stands, 18 healthcare providers have confirmed they were affected, and almost 24 million records have been exposed. There could well be other healthcare providers affected by the breach. The final total is unlikely to be known for some time.
Many of the affected companies have complained that AMCA has been slow to release information and that requests to participate in the investigation have been turned down. Several of the companies that have recently made announcements said it was not possible to issue notifications to the media any sooner as they had incomplete information on the breach and were not sure how many patients had been affected.
Healthcare companies confirmed as having been affected by the AMCA data breach are detailed below, with the approximate number of records involved.
|Healthcare Organization||Records Exposed|
|Clinical Pathology Associates||2,200,000|
|American Esoteric Laboratories||541,900|
|Sunrise Medical Laboratories||427,000|
|BioReference Laboratories/Opko Health||422,600|
|Laboratory Medicine Consultants||147,600|
|Austin Pathology Associates||46,500|
|South Texas Dermatopathology PLLC||16,100|
|Penobscot Community Health Center||13,000|
|Seacoast Pathology, Inc||10,000|
|Western Pathology Consultants||4,550|
|Laboratory of Dermatology ADX, LLC||4,240|
Only a small percentage of the breach victims have had their financial information exposed. Those individuals have been notified by AMCA. All other individuals are likely to receive their notifications in the next few weeks.
AMCA has spent in excess of $3.8 million following the breach. Most of that money has been spent on breach notifications, hiring IT consultants, and investigating the breach. AMCA’s parent company has filed for Chapter 11 bankruptcy protection.
The breach is being investigated by state attorneys general and several senators have demanded answers. The HHS’ Office for Civil Rights will also be keen to investigate to determine whether HIPAA Rules were violated.