It now appears that over 20 million patients have been affected in the massive AMCA healthcare data breach, including nearly 12 million patients of Quest Diagnostics, 7.7 million patients of LabCorp, and over 422,000 patients of BioReference Labs (a subsidiary of OPKO). Personal data that was accessed by unauthorized third-party hackers include a mix of payment data, medical test data, and personally identifiable information (PII). The sheer size and scope of this AMCA healthcare data breach would make it one of the biggest ever, with the potential for significant risk for AMCA and the affected companies.
Even worse, the data breach went undetected for more than eight months, and even when it was detected on March 30, AMCA and the other medical companies waited weeks before alerting customers and clients. At the beginning of June, companies affected by the data breach began alerting investors and shareholders about the healthcare data breach via public filings of 8-Ks with the Securities and Exchange Commission (SEC). Thus far, Quest Diagnostics, LabCorp and OPKO have filed 8-Ks with the SEC, meaning that investors in the stock market may now take this healthcare data breach into account when deciding how to value these medical healthcare giants. Even if class action lawsuits are resolved without huge liabilities, these companies may lose tens of millions of dollars in stock market valuation.
Details of the AMCA healthcare data breach
Starting in August 2018, hackers began to access American Medical Collection Agency (AMCA) healthcare data. AMCA, which provides billing and collection services for some of the biggest names in the medical laboratory testing business (including Quest Diagnostics, LabCorp, and BioReference Laboratories), says that hackers obtained access to its web payment page. As a result, these hackers were able to access information such as name, date of birth, address, phone number, provider name, balance information, payment card information, bank account information, Social Security Number and information about lab tests performed. The exact information accessed for each of the respective companies varies, but there appears to be a mix of payment data, PII data and medical test data in each case.
Tim Erlin, VP, product management and strategy at Tripwire commented on the value of this personal information to cybercriminals: “A criminal with the details about patients’ medical bills is in a good position to fraudulently collect money from those patients. Imagine if you received an email with accurate details about a medical bill you actually have, and a link to make a payment. It only takes a handful of people to fall for this scam in order for it to be worthwhile for the criminal. There’s no doubt that this information will be monetized. It will be sold and potentially re-sold, but ultimately used to the detriment of the consumers affected.”
Under the terms of the HIPAA Act, providers must notify patients within 60 days of any healthcare data breach discovery. And it is here where AMCA is potentially at the most risk. It’s bad enough that the data breach went undiscovered for more than eight months (from August 1, 2018 to March 30, 2019); it’s also that AMCA appears to have slow-walked any information about the scope and size of the data breach even when it was discovered. Waiting weeks or months before alerting customers further complicates the issue, and vastly raises the risk that any accessed medical information will be used in nefarious ways by hackers (e.g. selling payment card and personal information on the Dark Web). Of the 20 million people affected by the data breach, only 200,000 have now been contacted directly and told to safeguard their personal information. Thus, more than 60 days after the healthcare data breach at AMCA was discovered, only a tiny percentage of medical healthcare patients have even been told about it.
As a result, AMCA is now facing extensive legal action in several different states. State Attorney Generals in Connecticut, Illinois, Michigan and New Jersey are all looking into legal action that can be taken against the company. And in New York State, class action lawsuits are already starting to pile up. One class-action lawsuit, for example, involves more than 1,000 class members who were affected by the AMCA healthcare data breach. In an effort to avert full-scale disaster, AMCA notified law enforcement authorities and shut down its breached payments page. And Quest Diagnostics, for its part, has now suspended sending collection requests to AMCA.
The financial impact of data breaches
But if might be a case of too little, too late. As a result of this legal tsunami facing AMCA over the healthcare data breach, it now appears that the company is going to file for financial bankruptcy. Even though the thieves and scammers may not have directly impacted AMCA as a result of the healthcare data breach, all of the follow-on consequences (i.e. lawsuits, regulatory fines, stock market devaluation) may be enough to doom the company.
And it’s not just AMCA that is facing an uncertain future over the massive healthcare data breach. Investigators have already taken LabCorp to task for inadequate data security and a glaring lack of attention to best practices for protecting and preserving customer data. For example, LabCorp lacked procedures and processes related to audit logs, access reports, and security incident tracking reports. Thus, when a healthcare data breach occurred, the company was woefully unprepared for what happened next. And the same is likely true for the other companies affected by the AMCA healthcare data breach.
A warning for other data-centric companies
At this point, it’s almost a certainty that the AMCA healthcare data breach will lead to a completely new playing field within the healthcare industry. The days of ignoring healthcare IT security are now over. A single data breach – even if it does not lead to any direct negative impacts – still has the potential to topple a huge company. AMCA, while perhaps not a household name across America, was nonetheless the leading recovery agent for patient collections, and played an important role in sorting out billing collections for top healthcare companies.
Jonathan Deveaux, head of enterprise data protection at comforte AG explains why companies like AMCA face significant risks: “The healthcare industry may be the most vulnerable of all industries to cyber attacks. It’s about the data healthcare operators have access to. In the AMCA cyber heist, data stolen included patient PII and lab test info, but also included healthcare provider info, credit/debit card info, bank account info, and social security numbers. This was a treasure trove of data to a cyber thief!“
More broadly, the sad case of the AMCA healthcare data breach may have huge consequences for other data-centric companies, in fields such as financial services or digital marketing. Data security has become a topic worthy of CEO attention, and one that could determine the future financial strength and security of a company. As a result, companies of all sizes need to make the protection of personal data and information a key strategic priority going forward.