Lawsuits and Investigations Related to the AMCA Data Breach

Ever since reports regarding the massive data breach at American Medical Collection Agency (AMCA) became known, over 12 lawsuits had been submitted by breach victims.

Quest Diagnostics formally reported the breach on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC). LabCorp also did a SEC filing on June 4, 2019, and then BioReference Laboratories. Currently, there are over 20 million compromised personal records because of the breach.

The data breach at AMCA was discovered by Gemini Advisory’s security researcher. He found a set of 200,000 payment card numbers for sale on a darknet marketplace. Upon communication with AMCA and law enforcement officials, the hacked systems were made secure. Investigative reports confirmed that the hackers had accessed its web payment portal for 7 months.

It appeared that the hackers had monetized the stolen data. For this reason, many filed class action lawsuits where plaintiffs claim to have sustained harm as a result of the data breach.

One or more of the three companies – Quest Diagnostics, BioReference Laboratories and LabCorp, had been charged in most of the lawsuits. AMCA and Optum360 (Quest Diagnostics’ business associate) were charged in some lawsuits. Under selected cases where a patient didn’t pay off a bill, the patient’s details are sent to Optum360, which sends the data to AMCA for collection later.

The other class action lawsuits assert negligence and breach of implied contract caused by inability to secure personal information. Based on one complaint, the accused could use encryption and follow national and industry benchmarks as mandated to avert foreseeable harm to people. However the defendants failed to do it in spite of having the funds for implementing a security plan. It is alleged in the lawsuits that state laws were violated and thus damages, financial aid, and penalties are being sought by the complainants.

AMCA only sent breach notifications to a few people – the majority of whom had their financial information compromised. The healthcare organizations that gave AMCA access to health data still haven’t obtained the details of affected people. It is very likely that more breach victims would file more lawsuits as breach notification letters are issued.

Besides the class action lawsuits, all entities involved are being investigated by state and federal regulators and the Congress. The HHS’ Office for Civil Rights will certainly look into this breach to know if there was HIPAA Rules violation. Thus far, the state attorneys general from six states (Illinois, New York, Minnesota, Michigan, North Carolina and Connecticut) are already looking into the breach.

If there is a state or federal laws violation discovered, there might be financial penalities issued. Recently this year, several state attorneys general filed lawsuits on Medical Informatics Engineering over a 2014 data breach leading to a settlement worth $900,000.