[BreachExchange] UPDATE: 8 More Providers Added to AMCA Data Breach Victims

[Destry Winant]

https://healthitsecurity.com/news/46500-austin-pathology-patients-added-to-amca-data-breach-victims

Eight covered entities have been added to the victim tally of the
massive American Medical Collection Agency breach, which has now
claimed a total of up to 25 million breached patient records. Austin
Pathology Associates became the third provider within a week to report
its patient records were breached during the eight-month hack on the
billing services vendor.

Shortly after, seven more covered entities reported they too were
impacted:  Natera, American Esoteric Laboratories, CBLPath, South
Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology,
and Laboratory of Dermatopathology ADX. In total, more than 774,640
patients have been added to the breach by these covered entities
(Natera did not disclose how many of its patients were impacted).

Retrieval Masters Credit Bureau, AMCA’s parent company, discovered the
data security incident in March 2019. An investigation revealed a
hacker initially gained access to AMCA’s system on August 1, 2018. The
hack lasted for nearly eight months until it was discovered.

AUSTIN PATHOLOGY ASSOCIATES

AMCA informed Austin Pathology of the data security incident in May.
However, officials said AMCA failed to provide the specialist with
enough information to identify the potentially impacted patients or
even confirm the nature of the data impacted during the hack.

Austin Pathology is continuing to investigate. Based on the
information provided by AMCA, the breached data included patient
names, addresses, telephone numbers, dates of birth, dates of service,
account balances, banking or credit card information, and provider
details.

Social Security numbers were not compromised, and Austin Pathology did
not provide AMCA with any healthcare records, like laboratory results
or clinical history.

While AMCA officials told Austin Pathology that it sent about 1,800
breach notifications to the specialist’s patients, the provider
estimated that another 44,700 patients may have also had their data
compromised, bringing the total impacted to 46,500. Financial data was
not compromised for those additional patients.

As it continues to investigate, Austin Pathology has ended its
business relationship with AMCA. The majority of other impacted
covered entities, including Quest and LabCorp have also ceased doing
business with the billing services vendor.

Natera

In May, Natera was notified by AMCA its records were included in the
hack and were provided with a list of the patients impacted. The
notification did not outline the amount.

Officials said AMCA was only provided with limited information by
Natera. As a result, the breach only compromised patient names,
addresses, Natera patient identification numbers, AMCA account
numbers, and credit card numbers.

AMERICAN ESOTERIC LABORATORIES (AEL)

AEL was also notified about the breach in May, which impacted a total
of 541,900 patients.

Officials said they launched their investigation with help from a
third-party cybersecurity firm into the security incident to identify
the impacted patients and the scope of the breach. Patient names,
addresses, phone numbers, dates of birth, treatment provider details,
balance information, and dates of service were compromised.

Since the security incident, AEL has stopped using AMCA for collection efforts.

CBLPATH

With help from an outside cybersecuriry team, CBLPath launched its own
investigation into the incident soon after AMCA informed them of the
breach in May. They found that 148,900 patient records were
compromised, which included names, addresses, phone numbers, dates of
birth, balance details, treatment provider information, and dates of
service.

CBLPath has also stopped using AMCA for its debt collection services
since the breach.

SOUTH TEXAS DERMATOPATHOLOGY

Much like the notifications from the other impacted covered entities,
South Texas Dermatopathology officials said AMCA did not provide
enough information in its initial reporting to help the covered entity
determine what patients were impacted in the event.

As a result, South Texas Dermatopathology is continuing to
investigate. So far, the provider has determined patient names,
addresses, phone numbers, dates of birth, dates of servce, balance
information, credit card or banking data, and treatment provider
information were compromised.

AMCA told the provider that Social Security numbers were not breached
during the hack, and South Texas Dermatopathology does not provide
AMCA with health information.

While AMCA has only sent 1,200 patients breach notification letters,
the investigation by South Texas Dermatopathology found that another
14,900 patients were involved. Those patients did not have their
credit or banking details breached. In total, 16,100 patients were
included in the hack, which was limited to its US patients.

SEACOAST PATHOLOGY

The Seacoast Pathology investigation is still ongoing, as officials
said AMCA did not provide them with enoguh information to fully
determine the scope of the breach.

Based on AMCA's reporting, officials said patient names, contact
information, dates of service, balance information, credit card or
banking information, and treatment provider details were compromised
for about 800 patients.

However, Seacoast determine another 9,200 patient records were
breached, bringing the total number to 10,000. Social security numbers
and health data were not included, and ony US patients whose accounts
were referred for debt collection were involved.

ARIZONA DERMATOPATHOLOGY

According to local news outlet ABC15, about 7,000 Aurora Diagnostics
Arizona Dermatopathology patient records were included in the breach.
Further details into the impacted information was not disclosed.

LABORATORY OF DERMATOPATHOLOGY ADX (LDA)

LDA was also informed by AMCA of the breach in May, and much like many
of the other covered entities, LDA officials said they were not
provided enough information by AMCA to adequately understand the scope
of the incident. As a result, LDA's investigation is ongoing.

At the moment, LDA believes that patient names, addresses, phone
numbers, dates of birth, dates of service, balance information, credit
card or banking information and treatment provider information were
compromised. Social security numbers and health information were not
breached.

AMCA sent notifications to just 240 patients informing them of the
data breach. But LDA estimated that another 4,000 patients were
involved, though their financial information was compromised.

THE IMPACT

Last week, Clinical Pathology Laboratories reported 2.2 million
patients were affected by the AMCA breach, while Penobscot Community
Health Center in Maine saw 13,000 patient records compromised. Added
to Austin Pathology’s patients, the 11.9 million Quest Diagnostics
patients, 7.7 million LabCorp patients, and 422,000 BioReference
patients, up to 22.28 million patients have been potentially impacted,
so far.

With today's added breach victims, the total amount of patients
impacted has reached well over 25 million.

As a result of the loss of business and cost of the breach, AMCA’s
parent company filed for Chapter 11 bankruptcy. Quest, LabCorp, and
AMCA are currently facing lawsuits, as well as state and Senate
investigations. Security researchers have noted that the impact of the
breach will continue to reverberate throughout the foreseeable future.

“With this type of stolen information, criminals can have a field day
running personalized phishing campaigns,” Stuart Reed, vice president
of security firm Nominet, told HealthITSecurity in an email. “For
example, if they know you are a customer of Clinical Pathology
Laboratories and have the dates you visited the lab and any remaining
unpaid balance, that creates a perceived level of trust for victims,
which can be used to run a whole range of online scams and extortion
attacks.”

“With a big database, this typically will start at the very top with
high net worth targets and become more wholesale as the data ages,” he
added. “Protection of data throughout the supply chain is a collective
responsibility and any weak point presents a target of opportunity for
an attacker.”

To Reed, organizations that handle sensitive data need to ensure the
security of their vendorsbefore the contracting process, as a way of
creating a “joint security posture” that included technology,
processes, training, and staff.

Further, organizations also need to monitor the Domain Name System
(DNS) for any evidence of data theft or unauthorized activity.

“In addition to resulting in fines, lost business and brand damage,
cyberattacks can also affect organizations’ digital transformation
plans,” Reed said. “A quarter of organizations not considering digital
transformation acknowledge that it’s because of increased
cybersecurity risks.”

“As digital transformation grows and swells the attack surface ever
wider, a collaborative process that relies on getting risk management
and cyber security embedded into the partner relationship early on
should become something that’s baked into all supplier contracts as
matter of routine,” he added.