Update on American Medical Collection Agency breach: Almost 12 million Quest Diagnostic patients impacted

On May 10, DataBreaches.net broke the story of a medical collection agency breach involving American Medical Collection Agency.  The breach had been discovered by Gemini Advisory, who informed this site that they had found approximately 200,000 patients’ payment card info for sale on a well-known marketplace. The cards had apparently been compromised between September, 2018 and the beginning of March, 2019.

When AMCA did not respond to Gemini’s notification attempt, Gemini Advisory reported their findings to law enforcement, who then contacted AMCA.

AMCA did not subsequently respond to DataBreaches.net’s questions about the incident, although by May 10, it was clear that AMCA knew and had been addressing the problem (as screenshots this site published suggested).

Today, ABC news reports that AMCA has reportedly informed Quest Diagnostics that 11.9 million of their patients may be impacted — and that’s just one company. ABC reports:

AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.

Quest reports that AMCA has not yet provided them or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected.

American Medical Collection Agency breach impacted 200,000 patients – Gemini Advisory

Main Office: pay your bill https://champ.retrievalmasters.com/webpay?pid=2

Forbidden You don’t have permission to access /webpay on this server.

bill collector HAS NO PRIVACY POLICY AND NOTHING ABOUT HIPPA
http://retrievalmasters.com/about.php
MORALS & ETHICS: We are compliant with all Federal and State Laws and are members of ACA International. We provide our services adhering to the ethical guidelines expected from a National Accounts Receivable Management firm.

On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA.

Understanding When Business Associates Are Directly Liable Under HIPAA

New guidance issued by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) reaffirms that business associates must have proper HIPAA compliance practices, safeguards and documentation in place in order to avoid costly penalties.

OCR recently released a Fact Sheet summarizing the instances in which a business associate is directly liable for HIPAA violations. While nothing in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) has changed at this time, the Fact Sheet, released on May 24, 2019, aims to make it easier for regulated entities to understand and comply with their obligations under the law.

Direct Liability of Business Associates In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules.  Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.2  Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable

• Business Associates May be Liable for HIPAA Compliance