Security Response in Place After Data Breach at American Medical Collection Agency

The agency moved its online payments portal where the breach may have occurred and is working with its client Quest Diagnostics and law enforcement.

6/4/2019 2:00 PM

Security Response in Place After Data Breach at American Medical Collection Agency

American Medical Collection Agency (AMCA) is the latest subject of a large data security breach leading to possible unauthorized access to the personal, financial and medical information of nearly 12 million customers of Quest Diagnostics Incorporated.

AMCA notified Quest Diagnostics and Optum 360 LLC, Quest Diagnostics’ revenue cycle management provider, of potential unauthorized activity on the company’s web payment page on May 14, 2019, according to a filing of the incident with The Securities and Exchange Commission (SEC.)

AMCA, a billing collections vendor for Quest Diagnostics, has since moved its online payments page to a third-party vendor, according to a statement to media on behalf of the company, The Hill reports.

“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” the statement said. “We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

According to the SEC filing, AMCA reported to Quest Diagnostics and Optum 360 that:

  • Between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself;
  • The information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security numbers)
  • As of May 31, 2019, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people; and
  • AMCA has been in contact with law enforcement regarding the incident.

Quest Diagnostics suspended collection requests with AMCA after learning of the data breach.

Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” according to a statement from the company.

Quest and Optum 360 are working together to ensure Quest patients are informed of the data breach.

Data breaches impacting large numbers of consumers and large companies are on the rise.

According to the Experian Data Breach Industry Forecast 2019, significant data breaches impacting millions of consumers increased from about 200 per year to more than 1,300 between 2005 and 2017.

In its Data Breach Industry Forecast, Experian reports data breach attacks are targeted toward exposing data through a phishing email or malware installed from malicious websites, for example.

These attacks have also since evolved to “multi-vector” attacks by cybercriminals focused on taking over consumers’ personal devices such as cell phones and computers; not just hacking into companies that store their data.

“This means that the cyberattack of tomorrow will still include attack methods to steal SSNs and other identifying personal information, but will also include hijacked cell phones and internet services,” Brian Stack, vice president of dark Web intelligence at Experian writes in the Data Breach Industry Forecast. “Multi-factor authentication methods that rely on text messages, phone calls, or email will send pin codes to someone else who now has that access.”

ACA International has materials available for members in the ACA SearchPoint®  library under the Identity Theft tab as well as ongoing curriculum to help you stay on top of data breach regulations that apply to your business.

For companies in accounts receivable management, it’s more important than ever to stay on top of the regulations that apply to your business. ACA International will offer its CORE Curriculum seminar: Data Security and Privacy I June 11-12 with Certified Instructors Leslie Bender, IFCCE, chief strategy officer and general counsel at BCA Financial Services Inc. in Miami, and Michael O’Meara, Esq., president of The O’Meara Law Office in Everett, Washington.

The seminar focuses on implementing effective policies and procedures, notifying consumers in the event of a data security breach and exploring essential safeguards and strategies to develop a Data Security Compliance Program.

Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.

Subscribe to ACA Daily NEWSROOM