Labcorp reaches $35M settlement over American Medical Collection Agency breach

Laboratory services company Labcorp has agreed to a $35 million settlement in a class-action lawsuit stemming from its third-party debt-collection vendor. From August 2018 to March 2019, American Medical Collection Agency, a now-defunct company specializing in small-balance medical debt collection, experienced a data breach that affected more than 21 million individuals, including more than 10 million Labcorp patients.

The breach occurred when hackers gained access to AMCA's systems and compromised patients' Social Security numbers, payment information and medical test and diagnostic codes.

In the wake of the breach, several class-action lawsuits were filed and later consolidated into a single case in the U.S. District Court for the District of New Jersey. The plaintiffs alleged negligence and breach of contract over Labcorp's handling of the third-party incident, which the company denied.

According to the settlement agreement, the parties aimed to avoid prolonged litigation. Class members can submit claim forms for up to $5,000 if they can document out-of-pocket losses resulting from the breach, including losses related to legal services and credit monitoring. Alternatively, they can submit a claim form for $50 with no proof required. Class members may also receive two years of medical information monitoring and identity theft insurance.

The final settlement approval hearing will be held on Aug. 20, 2026.

This settlement specifically resolves allegations against Labcorp. AMCA has also faced legal challenges due to the breach. For example, in 2021, 41 attorneys general resolved a multistate investigation into the breach, initially holding the company liable for a $21 million payment. The payment was later suspended due to AMCA's financial troubles.

The multistate coalition also required AMCA to improve its data security practices by creating an incident response plan and hiring a third-party assessor to perform an information security assessment.

AMCA filed for Chapter 11 bankruptcy after the breach and is no longer in business.

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.