Billing collection agency breach affects at least 19.6 million consumers

The American Medical Collection Agency (AMCA) recently began notifying its clients of a hack that exposed personal and billing data of its clients, including approximately 11.9 million Quest Diagnostic patients and 7.7 million LabCorp patients.

According to Securities and Exchange Commission filings from Quest Diagnostics and LabCorp, an unauthorized user had access to AMCA’s system between August 1, 2018, and March 30, 2019, exposing information AMCA had collected from various entities, including Quest Diagnostics and LabCorp.

According to the LabCorp filing, the information exposed in the hack included:

• Addresses
• Balance information
• Dates of birth
• Dates of service
• Names
• Phone numbers
• Provider information

The hack also exposed information provided by consumers to AMCA, including credit card or bank account information used to pay their balances. AMCA informed LabCorp that Social Security numbers and insurance information are not stored for LabCorp consumers, but AMCA is in the process of sending notices to the approximately 200,000 LabCorp consumers whose financial information may have been accessed.

Quest Diagnostics’ filing contained slightly different information, stating that information affected included financial information, like credit card numbers and bank account information, medical information, and personal information, like Social Security numbers. According to the filing, laboratory test results were not impacted by the breach. Quest Diagnostics has suspended collection requests to AMCA.

Both Quest Diagnostics and LabCorp are working with AMCA to investigate the incident to fully understand the potential impact of the incident.