Skip to content

American Medical Collection Agency (AMCA) Data Breach : Why It Happened & What Can You Learn? (24 Million Customers Affected)

24 million customers is approximated to be affected through this third party breach.  The data breach experienced by American Medical Collection Agency (AMCA), a third-party bill-collection vendor for the health institutions, affected 17 health institutions including the United States’ biggest lab testing companies, Quest and LabCorps.

The affected institutes include Quest Diagnostics (12 Million),Laboratory Corporation Of America (7.7 Million), Clinical Pathology Laboratories (2.2 Million), OPKO Health, Laboratory Medical Consultants, American Esoteric Laboratories, Sunrise Medical Loaboratories, CBL Path, Austin Pathology Associates, South Texas Dermatopathology, Pathology Solutions, Laboratory Of Dematopathology ADX, Seacoast Pathology, Western Pathology Consultants, Arizona Dermatopathology, Natera.

AMCA’s breach cost it heavily. They filed for bankruptcy soon after with loss of 4 major clients.

Why It Happened ?

Attackers used a vulnerability at AMCA’s payment portal to access data which had millions of sensitive patient information. It included details such as names, addresses, phone numbers, dates of birth, payment card or banking information, social security numbers, and (PII) personally identifiable medical information. This affected from reports approx. of 23 million customers. AMCA was a third party vendor to major medical labs etc.

What Can You Learn ?

The above attack used various loopholes at various stages and we can list a few mitigation steps from it. 

  • Sensitive Data Breach can cause loss of best customers due to breach of trust and even cause a shut down
  • Third Party Security measures to make sure any vulnerability doesn’t affect one’s own customers
  • PII regulations within the company for careful distribution of PII. Collection of PII only restricted to only when absolutely necessary
  • For CIOs Be thorough, diligent with business associate contracts