Between August 1, 2018 and March 30, 2019 the American Medical Collection Agency (AMCA), a bill collection service provider, had unauthorized activity on their online payment page.
The AMCA works as a third-party collection agency for several major healthcare companies including, Quest Diagnostics, Laboratory Corporation of America Holdings (LabCorp), Optum360, OPKO Health, Inc., BioReference Laboratories, Inc., CareCentrix, and Sunrise Laboratories. The AMCA began reporting this data breach to these associated agencies in the beginning of June 2019.
Since then, Quest Diagnostics filed an 8-K form with the U.S. Securities and Exchange Commission stating roughly 12 million Quest Diagnostics patients and customers have potentially had their medical and billing information exposed. Learn more about their filing and the details of Quest Diagnostics case here.
LabCorp filed an 8-K form with the U.S. Securities and Exchange Commission stating roughly 7.7 million of their customers personal data had been exposed. Learn more about LabCorp and the lawsuits now arising over this data breach here.
OPKO Health, Inc., filed an 8-K form with the U.S. Securities and Exchange Commission noting over 400,000 of its patients could be impacted by the data breach through its subsidiary, BioReference Laboratories, Inc. Learn more about BioReference and the AMCA's response to this breach here.
Other companies have filed 8-K forms with the U.S. Securities and Exchange Commission reporting hundreds and thousands of their customers information may have been impacted by this data breach as well.
As of today, this breach has impacted roughly 20 million patients so far. However, experts believe that there will be more 8-K filings to come as the investigation into the breach continues. The potentially compromised data includes the patient's name, date of birth, address, phone number, the account balance information, credit card information, bank account information, and more.
This case is a stark reminder of the importance of vendor risk management. Evaluating your third-party vendor's security measure, and by extension their third-party vendor's security controls, should be a priority for practices and healthcare companies regardless of their size or scope. No matter how far removed you may seem from an outside contractor, when third-party vendors face a data breach you could be held liable.
Outside of reviewing a vendor's security systems prior to doing business with them, there are other means to help reduce your risk in the event of an attack.
Obtaining proper insurance coverage is of the utmost importance, this could be a very costly breach and you'll need coverage in a range of areas to avoid financial hardship following a claim of this nature.
You cyber coverage should include:
- Business Interruption Coverage
- Dependent Business Interruption Coverage
- Legal and Forensic Coverage
- Public Relations and Crisis Management Coverage
- Notified Individuals Coverage
Speak with your Professional Risk Agent today to review your current cyber policy. We've recently partner with Beazley to bring our clients a stand-alone cyber policy that provides coverage for all of the above and more.
Contact us today at 800-318-9930 to find the coverage you need!