More Than 20 Million Individuals Impacted by AMCA Data Breach

The number of individuals affected by the data breach at American Medical Collections Agency (AMCA) continues to rise. According to recent Security and Exchange Commission (SEC) filings, the laboratory and clinical testing companies LabCorp and BioReference Laboratories have also been affected by the data breach.

Quest Diagnostics was the first to disclose it had been affected by the breach. Records relating to around 11.9 million individuals were exposed, which included Social Security numbers and financial information. Next came LabCorp. Financial information was also exposed but no Social Security numbers. Up to 7.7 million of its customers have had some of their personal information compromised. BioReference Laboratories also announced, via its SEC filing, that it has been informed that 422,600 individuals that used its testing services have had their records compromised.

AMCA has not provided any of the above entities with details about the individuals whose personal information was exposed, so notification letters cannot yet be issued. LabCorp was informed that approximately 200,000 individuals whose financial information was exposed have been notified about the breach by AMCA, which has offered free credit monitoring and identity theft protection services for 2 years. Around 6,600 patients who used BioReference Laboratories have similarly been notified and offered credit monitoring and identity theft protection services.

A breach on this scale naturally takes some time to investigate and identify who has been affected, and to what extent. All affected companies have been in contact with AMCA and have requested further information to allow notifications to be issued. All three companies have also stopped sending data to AMCA. BioReference Laboratories has also requested AMCA stop working on all pending collection requests.

There may well be other entities affected by the breach. According to the AMCA website, the company works with many hospitals, clinics, physician groups, laboratories, and other healthcare clients throughout the United States.

Following the SEC filings and media announcements, at least four state attorneys general have launched investigations into the breach and have contacted AMCA and the affected companies demanding further information. Two new Jersey senators have also written to Quest Diagnostics demanding explanations about the breach.

Michigan Attorney General Dana Nessel has expressed concern about the nature of the attack. AMCA appears to have been targeted with a view to gaining access to financial and personal data, and the risk of that information being used to commit fraud is high. Nessell is also concerned about the length of time the hackers had access to AMCA’s web payment page – from August 1, 2018 to March 30, 2019 – and why the breach was not detected sooner.

New York Attorney General Letitia James, North Carolina Attorney General Josh Stein, and Minnesota Attorney General Keith Ellison have all confirmed that they are investigating and are seeking answers.

As it stands, as many as 20,022,600 records were compromised and potentially stolen. That number may well grow considerably over the next days and weeks as the breach investigation continues.