[BreachExchange] 46, 500 Austin Pathology Patients Added to AMCA Data Breach Victims

[Destry Winant]

https://healthitsecurity.com/news/46500-austin-pathology-patients-added-to-amca-data-breach-victims

The massive American Medical Collection Agency breach has added yet
another provider to its breach victim tally: Austin Pathology
Associates is the third provider within a week to report its patient
records were breached during an eight-month hack on the billing
services vendor.

Retrieval Masters Credit Bureau, AMCA’s parent company, discovered the
data security incident in March 2019. An investigation revealed a
hacker initially gained access to AMCA’s system on August 1, 2018. The
hack lasted for nearly eight months until it was discovered.

AMCA informed Austin Pathology of the data security incident in May.
However, officials said AMCA failed to provide the specialist with
enough information to identify the potentially impacted patients or
even confirm the nature of the data impacted during the hack.

Austin Pathology is continuing to investigate. Based on the
information provided by AMCA, the breached data included patient
names, addresses, telephone numbers, dates of birth, dates of service,
account balances, banking or credit card information, and provider
details.

Social Security numbers were not compromised, and Austin Pathology did
not provide AMCA with any healthcare records, like laboratory results
or clinical history.

While AMCA officials told Austin Pathology that it sent about 1,800
breach notifications to the specialist’s patients, the provider
estimated that another 44,700 patients may have also had their data
compromised, bringing the total impacted to 46,500. Financial data was
not compromised for those additional patients.

Last week, Clinical Pathology Laboratories reported 2.2 million
patients were affected by the AMCA breach, while Penobscot Community
Health Center in Maine saw 13,000 patient records compromised. Added
to Austin Pathology’s patients, the 11.9 million Quest Diagnostics
patients, 7.7 million LabCorp patients, and 422,000 BioReference
patients, up to 22.28 million patients have been potentially impacted,
so far.

As it continues to investigate, Austin Pathology has ended its
business relationship with AMCA. The majority of other impacted
covered entities, including Quest and LabCorp have also ceased doing
business with the billing services vendor.

As a result of the loss of business and cost of the breach, AMCA’s
parent company filed for Chapter 11 bankruptcy. Quest, LabCorp, and
AMCA are currently facing lawsuits, as well as state and Senate
investigations. Security researchers have noted that the impact of the
breach will continue to reverberate throughout the foreseeable future.

“With this type of stolen information, criminals can have a field day
running personalized phishing campaigns,” Stuart Reed, vice president
of security firm Nominet, told HealthITSecurity in an email. “For
example, if they know you are a customer of Clinical Pathology
Laboratories and have the dates you visited the lab and any remaining
unpaid balance, that creates a perceived level of trust for victims,
which can be used to run a whole range of online scams and extortion
attacks.”

“With a big database, this typically will start at the very top with
high net worth targets and become more wholesale as the data ages,” he
added. “Protection of data throughout the supply chain is a collective
responsibility and any weak point presents a target of opportunity for
an attacker.”

To Reed, organizations that handle sensitive data need to ensure the
security of their vendorsbefore the contracting process, as a way of
creating a “joint security posture” that included technology,
processes, training, and staff.

Further, organizations also need to monitor the Domain Name System
(DNS) for any evidence of data theft or unauthorized activity.

“In addition to resulting in fines, lost business and brand damage,
cyberattacks can also affect organizations’ digital transformation
plans,” Reed said. “A quarter of organizations not considering digital
transformation acknowledge that it’s because of increased
cybersecurity risks.”

“As digital transformation grows and swells the attack surface ever
wider, a collaborative process that relies on getting risk management
and cyber security embedded into the partner relationship early on
should become something that’s baked into all supplier contracts as
matter of routine,” he added.