The HIPAA data breach that won’t go away has claimed another victim.

In June of 2019, business associate (BA) and vendor America Medical Collection Agency (AMCA), which provides billing services to healthcare organizations, notified millions of patients that their protected health information (PHI)  – financial data, Social Security numbers, and medical information – was potentially breached, in violation of the HIPAA Privacy Rule and the HIPAA Security Rule. AMCA provided the notification of the HIPAA data breach after it discovered, in March of 2019, that its web payment system had been hacked over an eight-month period beginning in August of 2018 and ending in March of 2019.

Who are these patients? They are patients of health care providers – providers that had contracted with AMCA to handle the providers’ billing services. The list of healthcare providers whose patients’ data was potentially compromised is a long one: Quest Diagnostics (potential size of HIPAA data breach: 11.9 million patients); LabCorp (potential size of HIPAA data breach: 7.7 million patients; BioReference Laboratories (potential size of HIPAA data breach: 422,000 patients); Penobscot Community Health Center (potential size of HIPAA data breach: 13,000 patients). 

To this list, another 2.2 million potential HIPAA data breach victims can now be added.

In May, AMCA, as required by the HIPAA Breach Notification Rule, sent notification letters to about 34,500 Clinical Pathology Laboratories (CPL) patients informing them they might have been affected by the data breach. CPL, not confident that AMCA had provided enough information to determine precisely which patients and data were affected, subsequently conducted its own investigation, THAT investigation revealed that 2.2. million CPL patients potentially had their data breached in the incident.

According to CPL, patient names, addresses, phone numbers, dates of birth, dates of service, account balance details, credit card or banking information, and provider data, have all been potentially exposed in the HIPAA data breach.  

As a result of the incident, CPL has terminated its business relationship with AMCA. 

AMCA’s problems, however, are not limited to the loss of one customer. A number of states, as well as several U.S. senators, have launched investigations into breach; and affected patients have filed dozens of lawsuits against AMCA, alleging delayed breach notification and failure to protect PHI from a HIPAA data breach. 

Even that is not all. In June, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., voluntarily filed for Chapter 11 bankruptcy.

As is shown by the AMCA HIPAA data breach, HIPAA data breaches be costly and negatively affect your organization’s reputation. Making sure your organization has proper safeguards in place to protect PHI can save your organization from hefty fines, lawsuits, and bad publicity. 

To address HIPAA cybersecurity requirements, Compliancy Group works with IT and MSP security partners from across the country. You can contract with these partners so that they can properly handle your HIPAA cybersecurity protection needs.

Find out more about how Compliancy Group helps you simplify compliance and cybersecurity today!