Valuable Lessons Learned from the Massive AMCA Data Breach
Hackers stole the personal, financial, and medical data of more than 20 million patients who had used the online payment portal of a US medical bill and debt collector. Here are some valuable lessons you can learn without having to experience a data breach.
A US medical bill and debt collector, American Medical Collection Agency (AMCA), was the target of a data breach that persisted for seven months. Hackers stole the data of more than 20 million patients who had used AMCA’s online payment portal between August 2018, and March 2019.
By examining this data breach, you can learn some valuable lessons without having to experience one firsthand.
The AMCA Fiasco
When monitoring the dark web marketplace, Gemini Advisory security analysts discovered a database for sale that contained compromised US payment cards with accompanying information such as social security numbers, birthdates, and medical information. Upon investigation, they found that the database was likely stolen from AMCA’s online payment portal.
The security analysts attempted to notify AMCA by phone on March 1, 2019, but they did not get any response from the messages they left. So, they immediately contacted a federal law enforcement agency, which contacted AMCA. AMCA officials then confirmed that they had been breached.
It wasn’t until the beginning of June that patients were notified. Soon thereafter, numerous lawsuits were filed against AMCA and two of its clients Quest Diagnostics and LabCorp. The lawsuits were filed for two main reasons:
- Failing to protect patients’ data. The US Health Insurance Portability and Accountability Act (HIPAA) takes a serious stance on the relationship between a US healthcare provider and organizations (aka business associates) that protect health information on the provider’s behalf. HIPAA mandates that a healthcare provider must contractually ensure that its business associates comply with HIPAA’s Privacy Rule, which is why Quest Diagnostics and LabCorp are named in many of the lawsuits. Plus, the business associate itself is responsible for complying with HIPAA, which is why AMCA is named in many of the lawsuits.Both Quest Diagnostics and LabCorp have had security problems in the past. In November 2016, one of Quest Diagnostics’ Internet applications was breached. The hacker obtained the personal data of about 34,000 patients. In July 2018, LabCorp was the target of a ransomware attack, which caused the company to take certain systems offline for several days.
- Failing to notify patients about the breach in a timely manner. HIPAA mandates that healthcare providers notify patients within 60 days of first discovering a breach. However, AMCA didn’t notify potential victims until June 6, which is about three months after first finding out about the breach.Quest Diagnostics also notified victims in early June. However, the company contends that AMCA did not notify Quest officials in a timely manner. According to the Quest Diagnostics website, they received notification about “potential unauthorized activity” on May 14. But it wasn’t until May 31 that Quest officials found out how many patients were affected and the types of data stolen. The number of victims and the types of data stolen are eye-opening. Around 11.9 million patients had personal information (including Social Security numbers), financial records (including payment card and bank account numbers), and medical information (but not laboratory test results) stolen.Around 7.7 million LabCorp patients had personal and financial information stolen, but not their Social Security numbers since that information was never given to AMCA. Some LabCorp patients were upset that the company didn’t send them notification letters. LabCorp submitted a US Securities and Exchange Commission (SEC) filing about the breach on June 4 and posted information about the incident on its website but did not send notification letters as of July 1. Notification letters might be sent in the future, though. The website noted “LabCorp will take additional steps that may be appropriate, including making any required notifications, once more is known about the AMCA incident.”
The victims weren’t the only ones upset about the AMCA data breach. Two US senators, the attorneys general from at least three states (Connecticut, Illinois, and Michigan), and other officials have launched investigations. The senators, for example, sent letters to Quest Diagnostics and LabCorp demanding to know about their security processes and teams, why the breach was not detected sooner, and how they manage their vendors. The senators sent a similar letter to AMCA.
On June 17, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., filed for bankruptcy as a direct result of the data breach. The company experienced a “severe drop-off in its business”, according to bankruptcy papers. Quest Diagnostics and LabCorp were its largest customers. Like many other clients, they terminated their business relationship with AMCA once they found out about the breach. The high costs incurred because of the breach was another reason why the company filed for bankruptcy.
You can learn some valuable lessons from the AMCA data breach:
- Companies can be held liable for their suppliers’ data breaches. Businesses that must comply with data privacy regulations such as HIPAA and the European Union’s General Data Protection Regulation (GDPR) can be held accountable for their suppliers’ data breaches. Since data privacy regulations are becoming more common, it is a good idea for businesses to consider this when selecting suppliers.
- Businesses need to continually monitor their IT operations for suspicious activity that might indicate a data breach is occurring. Unlike ransomware, data breaches are typically carried out covertly. Knowing what to look for and continually monitoring for those signs can mean the difference between having a breach discovered in seven hours rather than seven months.
- Companies must notify the victims affected by a breach in a timely manner. This is not just a HIPAA requirement. All 50 US states have legislation requiring private and government entities to notify individuals of data breaches if their personal data was stolen. Moreover, poorly handled notifications can exacerbate the impact of the data breach. Promptly notifying victims in a thoughtful manner can help lessen some of the negative feelings.
- Data breaches are costly. In the bankruptcy filing, AMCA noted that it incurred substantial costs due to the incident, including having to spend $3.8 million to mail millions of notices to patients. It also spent $400,000 to hire IT experts to identify the source of the breach, diagnose its cause, and implement appropriate solutions.
- Data breaches often lead to lost business — and worse. A data breach can result in losing existing customers, missing out on future business opportunities, and even having to file for bankruptcy or go out of business.
Bad News for Most Everyone Involved
Data breaches are bad news for everyone involved, except the perpetrators. Customers are at risk of getting their money or identities stolen because their personal data is up for grabs. Companies can lose their customers, reputation, and money. Due these serious ramifications, businesses need to strengthen their security defenses as well as have incidence response plans in place. We can help by assessing your company’s security measures and formulating an effective strategy to defend against data breaches.