Governance & Risk Management , Incident & Breach Response , Privacy

BioReference Laboratories Added to AMCA Breach Tally

At Least 3 Lab Testing Firms Affected; Several State Attorneys General Investigate
BioReference Laboratories Added to AMCA Breach Tally

This story has been updated.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

A third medical lab test firm - BioReference Laboratories - has acknowledged that it's a victim of the data breach at American Medical Collection Agency, which may have exposed data on more than 20 million patients.

Meanwhile, at least six state attorneys general - in Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut - are now investigating the breach.

In a 8-K filing Monday with the Security and Exchange Commission, Elmwood Park, N.J.-based BioReference Laboratories, a subsidiary of OPKO Health, says it was notified on that same day by AMCA that data for approximately 422,600 patients for whom BioReference performed testing was stored in the AMCA system that suffered the "unauthorized access" breach.

Earlier announcements revealed that two other laboratory testing firms were also affected by the breach. Quest Diagnostics says 11.9 million patients who it serves were potentially affected, and LabCorp says 7.7 million patients may have been impacted.

BioReference Offers Update

In its SEC filing, BioReference notes that it formerly had been using AMCA's collection services.

"BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA," the filing says. "In addition, BioReference has requested that AMCA cease continuing to work on any pending collection requests involving BioReference patients."

The filing notes that according to AMCA, the unauthorized activity on AMCA's web payment page occurred between August 1, 2018, and March 30, 2019.

"AMCA advised that AMCA's affected system includes information provided by BioReference that may have included patient name, date of birth, address, phone, date of service, provider, and balance information. In addition, the affected AMCA system also included credit card information, bank account information - but no passwords or security questions - and email addresses that were provided by the consumer to AMCA," the BioReference filing notes.

BioReference says it's attempting to obtain more information from AMCA and plans to promptly take additional steps once it knows more about the breach.

Scrutiny Growing

As the breach victim tally in the AMCA incident climbs, so does government scrutiny.

On Friday, in a joint statement, Connecticut Attorney General William Tong and Illinois Attorney General Kwame Raoul announced they have opened an investigation into the data breach at AMCA.

On Thursday, a spokeswoman for North Carolina Attorney General Josh Stein told Information Security Media Group that the office is reviewing a breach report AMCA submitted to the state on Monday. LabCorp - one of the victim companies of the breach - is based on Burlington, N.C.

In that breach report, a copy of which was provided to ISMG, AMCA says it discovered the “hacker/unauthorized access” breach on March 20. AMCA says security measures had been previously taken to protect the data that was compromised. “Certain information was encrypted. However the encryption keys were compromised,” the report notes.

The AMCA breach report also notes that North Carolina residents are being contacted about the incident by written notice and that there was a delay in reporting the breach to the state because “it took the company time to identify the impacted individuals and their contact information.”

The AMCA breach report also notes that, upon receiving the March 20 notice from a security compliance firm that works with credit card companies about a possible security compromise of AMCA’s web payment page, AMCA took down the payments page and retained a computer security consulting firm “to advise on and implement steps to increase its systems security.” AMCA also contacted law enforcement, the report notes.

Other States Investigate

Also Thursday, a spokesman for Minnesota state Attorney General Keith Ellison told ISMG that his office plans to look into the AMCA breach. Plus, a spokesman for New York state Attorney General Letitia James said that her office is investigating the breach and has sent letters to the companies involved demanding information about the incident. AMCA is based in Elmsford, New York.

And on Wednesday, Michigan Attorney General Dana Nessel announced that her office was launching an inquiry into the AMCA breach. In the statement, Nessel says her office is demanding information about the breach's impact on Quest Diagnostics patients.

A spokeswoman in Nessel's office tells ISMG that the attorney general also will send letters to any other companies affected by the breach.

"This data breach is yet another example of how fragile our information infrastructure is, and how vulnerable all of us are to cyber hacking," Nessel said.

As of Thursday, the AMCA breach - including any potential breach reports from Quest Diagnostics, LabCorp or BioReference - are not listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website of major health data breaches impacting 500 or more individuals.

'Troubling' Breach

The AMCA breach is "particularly troubling for several reasons," Nessel says.

"First, it appears this is a deliberate hack that increases the likelihood that accessed information may be used to commit fraud. Next, for more than seven months it appears this hacker may have had access to very personal, highly sensitive information that includes not only Social Security numbers, credit card and bank account numbers, but may have also included information from healthcare providers. We have no idea how far and wide this breach has gone."

On Wednesday, New Jersey's two U.S. senators sent a letter to Secaucus, New Jersey-based Quest Diagnostics demanding answers about the AMCA breach.

AMCA has not responded to ISMG's request for additional details on the number of companies or individuals impacted by the breach. BioReference Laboratories did not immediately respond to an ISMG request for comment.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.