American Medical Collection Agency breach impact reaches 20 million

A third medical testing company announced it has been impacted by the American Medical Collection Agency data breach, putting the total number of patients potentially affected at 20 million.

In an 8-K form filed with the U.S. Securities and Exchange Commission, OPKO Health, Inc., said 422,600 customers may have been impacted by a data breach through its subsidiary, BioReference Laboratories, Inc.

BioReference, based in Elmwood Park, N.J., was notified by the American Medical Collection Agency, a bill collection service provider, about unauthorized activity on the collection agency’s online payment page between Aug. 1, 2018 and March 30, 2019. Data for approximately 422,600 of its patients was stored in the affected system, according to the SEC filing.

Earlier this week, medical testing companies Quest Diagnostics Inc., and Laboratory Corporation of America Holdings (LabCorp) filed 8-K forms that announced they, too, were affected by the data breach, which brings the total of potentially impacted patients to roughly 20 million.

For BioReference patients, data that could have been affected includes patient names, dates of birth, addresses, phone numbers, dates of service, and provider and balance information. The affected American Medical Collection Agency system also included credit card information, bank account information, not including passwords and security questions, and email addresses provided by customers to the collection agency, the filing said.

American Medical Collection Agency said no Social Security numbers were compromised. In the SEC filing, BioReference noted it did not provide laboratory results or diagnostic information to the collection agency.

American Medical Collection Agency is sending notices to 6,600 patients whose credit card or bank account information was stored in its system, and for whom BioReference performed laboratory testing, according to the filing.

BioReference has not sent any collection requests to American Medical Collection Agency since October 2018, and it noted in the SEC filing that it will not send any new collections requests to the agency. It has requested that the collection agency cease working on any pending collections requests involving its patients.

The filing noted that BioReference hasn’t been able to verify the accuracy of the information it received from AMCA.

In a statement, the American Medical Collection Agency said it is investigating a data incident that involved an unauthorized user accessing its system. The collection agency said it was notified of a potential security compromise by a security compliance firm that works with credit card companies, which resulted in the collections agency conducting an internal review and then taking down its web payments page.

Kristina Podnar, digital policy consultant and author of The Power of Digital Policy, called the current 8-K filings “just the tip of the iceberg.”

“I think we’re going to see a lot more coming out in terms of 8-K filings,” she said.

According to its website, the American Medical Collection Agency works with laboratories, physician groups, billing services, hospitals and medical providers across the country and manages more than $1 billion in annual receivables.