Financial details of nearly 12 million patients may be at risk following a security breach at American Medical Collection Agency.
The billing collections service provider is currently taking steps to address the situation and mitigate damage, while informing clientele of the incident, including Quest Diagnostics, a blood testing company which, along with one of its contractors, Optum360, utilizes AMCA’s billing collection services.
“On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results," said a Quest spokesperson in a statement to HCB News, adding that "Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information."
Quest has since suspended transmission of collection requests to AMCA and is working with Optum 360 to ensure patients are notified of the situation, in accordance with the law. No lab test results were breached, according to The Hill
It is, however, unable to verify the accuracy of the information received from AMCA at this time, and says that it has not received “complete information” on the breach, including details on which customers were impacted.
In response, AMCA says it has taken a number of steps to investigate the matter. "We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system," Jennifer Kain, a company spokesperson, told HCB News. "Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information."
The breach was first reported in February by Databreaches.net, which was notified by security compliance firm, Gemini Advisory that the payment details of 200,000 patients from the billing collection provider were on sale on a dark web marketplace. The information is believed to have been compromised between September 2018 and March 2019, according to Databreaches.net
Dr. Teow-Hin Ngair, CEO of SecureAge, a government and enterprise data security and encryption provider, says that such events are unfortunately common within the healthcare industry due to the community not paying enough attention to cybersecurity, compared to other facets of healthcare.
"This is not the first time the healthcare industry has seen a breach in client information. One of the fundamental issues is that medical agencies, providers and hospitals aren't making cybersecurity enough of a priority in general," he told HCB News. "This could stem from the fact that lost patient records do not really impact their business directly — and they don't lose any money directly resulting from patient record breaches. Unless more regulations are put in place, this will continue to be a recurring issue."
This is a developing story. HealthCare Business News will update it as more information is released.