Mount Sinai had previously contracted with AMCA, a debt collection service located in Elmsford, New York, for billing collection services. On June 4, 2019, AMCA advised Mount Sinai that between August 1, 2018 and March 30, 2019, an unauthorized person may have had access to AMCA’s computer network. The resulting data breach was not discovered until March 30, 2019.
Mount Sinai’s patient protected health information (PHI) was contained in AMCA’s network system, including patients’ names, dates of medical service, name of lab or medical service provider, referring doctors, health insurance information, and other medical information related to services received at Mount Sinai.
The breach has affected only those patients with outstanding invoices that had been given to AMCA for collection. Mount Sinai has stated in its notice that its systems were not affected by this incident.
Mount Sinai has also indicated that it has ceased doing business with AMCA, and is working to retrieve and secure all Mount Sinai data, including electronic protected health information (ePHI), in AMCA’s database.
AMCA’s parent company, Retrieval-Masters Credit Bureau, Inc., filed for Chapter 11 bankruptcy on June 17, 2019, a mere two weeks after advising Mount Sinai of the data breach.
The Office of the New York State Attorney General is investigating the AMCA data breach. In addition, the Attorneys General of Connecticut, Illinois, and more than 20 other states, are also investigating the data breach. The AMCA data breach has already prompted a lawsuit as well – a class action against Quest Diagnostics, another AMCA data breach victim, has been filed in New Jersey federal court.