[BreachExchange] Multiple Class Action Lawsuits Filed in AMCA Breach

[Destry Winant]

https://www.databreachtoday.com/multiple-class-action-lawsuits-filed-in-amca-breach-a-12599

A flurry of class action lawsuits have already been filed by
individuals alleging they have been injured by a data breach at
American Medical Collection Agency, which impacted more than 20
million patients of at least three medical laboratory testing firms.

As of Monday, more than a dozen class action lawsuits had already been
filed in several U.S. federal courts within one week of news breaking
of an "unauthorized access" breach at AMCA that affected information
of nearly 12 million Quest Diagnostics patients; 7.7 million LabCorp
patients, and nearly 423,000 BioReference Laboratories patients.

Each of those three medical testing laboratory companies disclosed on
June 3 being impacted by the AMCA breach in individual 8-K filings
with the Securities and Exchange Commission.

In Quest Diagnostics' situation, the Secaucus, N.J.- based firm said
AMCA provides billing collections services to revenue cycle management
firm Optum360, which is a Quest contractor.

The lawsuits include class action complaints naming all of the
companies as defendants. In a few cases, lawsuits were filed naming
AMCA and only one or two of the medical testing firms, and/or Optum360
as defendants.

Lawsuits' Allegations

What the lawsuits all have in common are allegations by plaintiffs -
patients of the labs whose information at some point had been turned
over to AMCA for bill collecting - who say they've been harmed by the
AMCA data breach.

"When certain customers do not pay their invoices within the requested
time period, Quest will reach out to Optum360, who will provide
information to AMCA to collect the balance," one of the complaints
against AMCA, Quest Diagnostics, Optum360 LabCorp, and BioReference
notes.

"Consumers place value in data privacy and security. However,
defendants failed to take all necessary precautions to secure the
personal information given to them by consumers," the complaint notes.

"Defendants ... had a duty to plaintiff and class members to properly
secure personal information, encrypt and maintain such personal
information using industry standard methods, utilize available
technology to defend its systems from invasion, act reasonably to
prevent foreseeable harms to plaintiff and class members," that
complaint filed June 7 in a New York federal court notes.

"Defendants had the resources necessary to prevent the data breach but
neglected to adequately invest in security measures, despite their
obligation to protect such information," the suit alleges.

The lawsuits allege a variety of claims, including negligence and
breach of implied contract by the defendants in failing to protect the
personal information of those individuals impacted by the data breach.

"The filing of these class action lawsuits will also likely result in
the turning over documents and materials concerning the information
security practices of the organizations, the relationships between the
parties and results of investigations into who knew what and when."
—David Holtzman, CynergisTek

Collectively, the lawsuits also allege a variety of state law
violations, including the New York General Business Law, the Florida
Deceptive and Unfair Business Practices Act, and the California
Medical Information Act.

Among other things, the various lawsuits are seeking damages,
penalties, and other monetary relief for those impacted by the breach.

AMCA Account

According to the SEC filings of the breached companies, AMCA says it
learned from a third-party security firm of unauthorized activity on
AMCA's web payment page occurring between August 1, 2018, and March
30, 2019.

"Upon receiving information from a security compliance firm that works
with credit card companies of a possible security compromise, we
conducted an internal review, and then took down our web payments
page," an AMCA spokesman tells Information Security Media Group.

"We hired a third-party external forensics firm to investigate any
potential security breach in our systems, migrated our web payments
portal services to a third-party vendor and retained additional
experts to advise on, and implement, steps to increase our systems'
security. We have also advised law enforcement of this incident," he
says.

According to a breach report AMCA filed to North Carolina's attorney
general, for which ISMG was provided a copy, AMCA says it discovered
the "hacker/unauthorized access" breach on March 20. AMCA says in the
report that security measures had been previously taken to protect the
data that was compromised.

"Certain information was encrypted. However the encryption keys were
compromised," the report notes.

According to the SEC filings of the companies impacted by the AMCA
breach, potentially compromised data includes patients' healthcare and
financial information, ranging from name, date of birth, address,
phone, date of service, provider, balance information, and in some
cases bank account information and Social Security numbers.

"Data breaches and identity theft have a crippling effect on
individuals and detrimentally impact the entire economy as a whole,"
one of the class action complaints against AMCA and the other
companies notes. "Medical databases are especially valuable to
identity thieves."

Prognosis of Suits

The lawsuits filed so far are the first of many more that will
undoubtedly get lodged against the AMCA and the other companies, some
legal experts predict.

"Time will tell whether these ... class action lawsuits have merit,"
says privacy attorney David Holtzman of security consultancy
CynergisTek.

"Class action litigators will often file lawsuits containing general
allegations and claims of damage as part of a 'first-in-line' strategy
that they believe will benefit their clients as well as enhance any
attorney's fees that might be awarded," he notes.

"The filing of these class action lawsuits will also likely result in
the turning over documents and materials concerning the information
security practices of the organizations, the relationships between the
parties and results of investigations into who knew what and when."

Government Scrutiny

In addition to the class action lawsuits being filed, AMCA and the
affected healthcare companies are also facing intense scrutiny by
state regulators and some members of Congress in the wake of the
breach.

As least six state attorneys general - in Michigan, New York,
Minnesota, North Carolina, Illinois and Connecticut - have said their
offices are investigating the breach.

Also, New Jersey's two U.S. senators on June 5 sent a letter to New
Jersey-based Quest Diagnostics demanding answers about the AMCA
breach.

On a federal level, the breach case involving AMCA also brings to
light issues involving HIPAAcovered entities and business associate
relationships, notes privacy attorney Iliana Peters of the law firm
Polsinelli.

"I think the most important issue moving forward from both a
litigation and regulatory standpoint is the HIPAA business associate
liability, which stems from the vendor/HIPAA business associate
relationship here and in many other cases about which state and
federal regulators are investigating," she says.

The Department of Health and Human Services' Office for Civil Rights
recently issued guidance on business associate liability, she notes.
"It does seem like an issue that at least OCR is particularly
interested in from an enforcement perspective. I will be particularly
interested to see if the issue also comes up with state regulators or
with litigation moving forward."

Early Lessons

In the meantime, important lessons, especially about vendor security
risk management are already emerging from the breach, despite scant
details being revealed by AMCA about the incident so far.

"The key lessons to be learned are that healthcare organizations must
perform risk based assessments of vendors' information security
practices and safeguards," Holtzman says. "The more access an
organization has to your information system or the sensitivity of the
data, the more comprehensive and thorough the examination."

In addition, as Quest Diagnostics' relationship with Optum360 - which
used AMCA for bill collecting - illustrates, downstream vendors
handling sensitive data must also be closely scrutinized, Holtzman
says.

"Ask your vendor or contractors to identify and perform vendor
management assessment of the subcontractors or vendors they hire to
create or maintain your organization's personally identifiable data,"
he says.

"Ensure that all vendor agreements include provisions for what types
of incidents have to be reported your healthcare organization and when
that notification must be provided. Equally important is specifying in
your vendor contract how information about incidents involving
subcontractors are reported to you and rights to obtain information or
investigate such incidents."