[BreachExchange] 13, 000 Patients of Maine Provider Among AMCA Data Breach Victims

Wed Jul 17 08:35:06 EDT 2019

https://healthitsecurity.com/news/13000-patients-of-maine-provider-among-amca-data-breach-victims

July 15, 2019 - Penobscot Community Health Center in Maine recently
began notifying about 13,000 patients that their data was potentially
compromised in an eight-month long hack on its billing services
vendor, American Medical Collection Agency.

In early June, AMCA began notifying clients of a system breach that
impacted several of its health clients. According to the notice, a
hacker gained access to its system from August 1, 2018 to March 30,
2019.

The system contained a trove of information that varied by client,
from demographic details to medical data and some Social Security
numbers. So far, up to 12 million Quest Diagnostics patients, 7.7
million LabCorp patients, and 422,000 BioReference patients were all
included in the breach victim tally.

PCHC contracted with AMCA for its billing collection services.
According to the notice, AMCA notified the provider of the eight-month
breach on May 15, 2019. The data compromised during the hack included
patient names, dates of birth, provider name, and other medical data.
Some credit card information was also potentially breached.

AMCA did not store any PCHC health records, diagnoses, or treatment
details. And not all PCHC patients were included in the security
incident, only patients whose accounts were sent to AMCA for debt
collection. Patients will receive two years of free credit monitoring
and identity theft protection services.

PCHC has since stopped doing business with AMCA and is currently
taking steps to retrieve and secure all patient data contained in the
vendor’s systems.

The breach completely devasted the parent company of AMCA,
Retrieval-Masters Creditors Bureau. The vendor filed for Chapter 11
bankruptcy just weeks after the breach notifications went public,
calling it a “cascade of events” with “enormous expenses that were
beyond the ability of the debtor to bear.”

The vendor, Quest, and LabCorp are currently facing dozens of lawsuits
and state investigations as the “wrongful disclosure has harmed
plaintiffs and the classes believed to include millions of
individuals.”

Along with claiming Quest, LabCorp, and AMCA failed to notify patients
in a timely fashion, the lawsuit alleged the vendors “apparently
allowed hackers to access plaintiffs’ and other class members’
sensitive information for at least seven months and did nothing to let
the victims know about the data breach for nearly a year after it
began.”

“While it is uncertain whether plaintiff and class members’ sensitive
and HIPAA-protected medical information was compromised, the fact that
the breach occurred and that cybercriminals obtained account
information of plaintiffs and class members makes it likely that
private medical information will or has been disclosed already on the
‘dark web,’” according to the lawsuit.

State attorneys general from Connecticut, Illinois, and Michigan have
all opened inquiries into the breach, as well as Democratic New Jersey
Senators Cory Booker and Bob Menendez, to determine just how the hack
went undetected for nearly eight months.