A month after the medical collection portal owned by the American Medical Collection Agency (AMCA) fell victim to a data breach that has affected more than 20 million of their users from different blood testing laboratories and medical institutions around the country, a new AMCA partner lab came forward and said that their clients were also affected by the data breach.
According to Clinical Pathology Laboratories (CPL), 2.2 million clients may have had their names, addresses, phone numbers, dates of birth, dates of service, balance information, and treatment provider information stolen from the previously reported data breach involving AMCA.
Last month, data were stolen from users of the AMCA payment portal that was used to pay for laboratory fees by more than 20 million victims. These data include their names, phone numbers, dates of birth, home addresses, social security numbers, credit card numbers, and other bank details.
The list of impacted testing laboratories includes Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients).
This time, Clinical Pathology Laboratories (CPL) says that an additional 2.2 million victims of the data breach come from their client list, and another 34,500 patients had their credit card or banking information compromised.
The company blamed the late announcement from CPL to AMCA for not providing them with enough information regarding the breach when it was first disclosed in June.
“At the time of AMCA’s initial notification, AMCA did not provide CPL with enough information for CPL to identify potentially affected patients or confirm the nature of patient information potentially involved in the incident, and CPL’s investigation is on-going,” said the company in a statement.
As of today, it is still unclear whether AMCA nor its partner companies have reached out to their clients to personally notify them about the data breach. Back in June, AMCA first disclosed that only 200,000 clients had their data compromised. However, reports from its partners have confirmed that the victim tally reaches 20 million.
AMCA and partners were slapped with lawsuits
AMCA, Quest, and LabCorp in June were slapped with at least 19 lawsuits concerning the data leak. More than 19 class-suite actions have been filed against the three companies for their involvement in the breach and their inability to fulfill the promise of protecting their clients’ sensitive information.
According to one of the lawyers in one of the lawsuits hurdled against the involved companies, healthcare providers are one of the most susceptible entities, but they have lackluster data protection systems.
“Healthcare companies are especially susceptible to data breaches not only because they aggregate a tremendous amount of important and sensitive data, but also because they tend to be less focused on cybersecurity protection than other industries,” said John Yanchunis of Morgan and Morgan, one of the firms who filed lawsuits against Quest Diagnostics.
Yanchunis said that these companies “know [that] they are at an increased risk and yet have not taken the proper steps to protect their patients’ data.”
AMCA filed for bankruptcy
Amid the data breach that centers the American Medical Collection Agency, the company has filed for bankruptcy and laid off more than 70% of its workforce, as cost in mitigating the impacts of the leak has to lead the company to lose a massive amount of money.
According to the company, the data breach “resulted in enormous expenses that were beyond the ability of the Debtor to bear.”
“Almost immediately upon learning of the breach, LabCorp unqualifiedly and indefinitely terminated its relationship with the Debtor,” the filing reads.
“Soon after, Quest Diagnostics, Conduent, Inc., and CareCentrix, Inc. which together with LabCorp were the Debtor’s four largest clients, stopped sending new work to the Debtor, and all terminated or substantially curtailed their business relationships with the Debtor.”
Cybersecurity experts have estimated that the company most likely to spend at least $400,000 for cyber forensics alone. Add to that the cost of IT support, severe restrictions that were put in place to protect AMCA’s network from further intrusion, looming court cases, and the loss of valuable business partners; it is most likely that the company was driven to the abyss of bankruptcy by the data breach.
Of course, to cut cost, AMCA has also laid off employees and only retained those who are significant in the legal battles it faces, including the lawsuits and its request for bankruptcy. AMCA’s current employee count is down from 113 to 25, which practically cut of 78% of its human resources. Fuchs has asked the court to consider a motion which will ensure the firm’s remaining staff will be paid during the process.