[BreachExchange] Over 400, 000 Opko Health Clients Impacted by AMCA Data Breach

Destry Winant destry at riskbasedsecurity.com
Fri Jun 7 06:15:13 EDT 2019


https://www.bleepingcomputer.com/news/security/over-400-000-opko-health-clients-impacted-by-amca-data-breach/

Medical tests and medication firm OPKO Health Inc present in over 30
countries says that one of its subsidiaries, BioReference Laboratories
Inc, was notified by American Medical Collection Agency (AMCA) of
unauthorized activity on its web payment page.

This new breach notification follows previous breach reports received
by diagnostic services provider Quest Diagnostics Incorporated and
Laboratory Corporation of America Holdings (LabCorp) from AMCA.

In these two breaches alone, roughly 19 million of their customers
having been impacted by unauthorized access to the companies' data
stored on AMCA's systems.

According to a filing with U.S. Securities and Exchange Commission
(SEC), AMCA told the OPKO Health subsidiary that an unauthorized party
accessed the BioReference medical test data of around 422,600 patients
between August 1, 2018, and March 30, 2019.

In addition, the accessed data also contained payment information and PII data:

AMCA advised that AMCA’s affected system includes information provided
by BioReference that may have included patient name, date of birth,
address, phone, date of service, provider, and balance information. In
addition, the affected AMCA system also included credit card
information, bank account information (but no passwords or security
questions) and email addresses that were provided by the consumer to
AMCA.

AMCA told BioReference that "no Social Security Numbers were
compromised" in the breach and, according to the OPKO Health
subsidiary "no laboratory results or diagnostic information" were
provided and stored on AMCA systems.

The SEC filing also states that AMCA will send breach notifications to
"6,600 patients for whom BioReference performed laboratory testing"
whose bank account and credit card info was stored on the breached
systems.

State attorneys general and other state agencies will also be notified
by AMCA regarding the data breach "as required by applicable state
data breach laws."

Additionally, the billing collection provider reported the "AMCA
Incident" to law enforcement agencies and shut down the breached web
payments page:

AMCA has reported to BioReference that it is continuing to investigate
this incident, has reported the AMCA Incident to law enforcement and
has taken steps to increase the security of its systems, processes,
and data, including shutting down its web payments page, migrating it
to a third-party vendor, and hiring a cybersecurity firm to implement
various safeguards to increase security.

As detailed by BioReference in the breach report filed with the SEC,
no collections requests have been sent to AMCA since October 2018 and
the company as also requested AMCA to "cease continuing to work on any
pending collection requests involving BioReference patients."

According to its website, AMCA is the "leading recovery agency for
patient collection" and it is "managing over $1BN in annual
receivables for a diverse client base," servicing "laboratories,
hospitals, physician groups, billing services, and medical providers
all across the country.


More information about the BreachExchange mailing list