LabCorp Reaches $35M Settlement Over AMCA Breach Affecting 10M+ Patients

In a significant development that underscores the ongoing consequences of healthcare data breaches, LabCorp has reached a $35 million settlement related to the massive American Medical Collection Agency (AMCA) data breach that exposed over 10 million patients' sensitive information. This settlement serves as a stark reminder of the far-reaching impact that third-party vendor breaches can have on healthcare organizations and the patients they serve.

What Happened

The breach originated with the American Medical Collection Agency (also known as Retrieval-Masters Creditors Bureau Inc.), a debt collection company that provided services to numerous healthcare organizations, including LabCorp. In 2019, AMCA suffered a devastating cyberattack that compromised the personal and medical information of millions of patients across multiple healthcare providers.

LabCorp, one of the nation's largest clinical laboratory companies, was among AMCA's clients affected by this breach. The company discovered that patient information had been compromised through their business relationship with the collection agency, leading to one of the largest healthcare data breaches in recent history.

The breach involved unauthorized access to AMCA's systems, where cybercriminals gained access to a treasure trove of sensitive patient data. The attack went undetected for months, allowing bad actors extensive time to access and potentially exploit the compromised information.

Who Is Affected

This breach impacted an staggering 10,251,784 patients who had used LabCorp's services and whose accounts were later handled by AMCA for collection purposes. The affected individuals represent one of the largest patient populations ever compromised in a single healthcare-related data breach.

Patients affected by this breach include:

• Individuals who received laboratory services from LabCorp
• Patients whose accounts were sent to AMCA for collection
• Anyone whose personal information was stored in AMCA's compromised systems
• Family members whose information may have been included in patient records

Breach Details

While specific technical details about the breach method remain limited in public reports, the scale and impact are clear. The compromised information included:

• Personal identifying information such as names, addresses, and phone numbers
• Social Security numbers
• Medical information and test results
• Financial information including credit card and bank account details
• Insurance information
• Dates of birth

The breach occurred through AMCA's systems, highlighting the risks that business associate relationships can pose to covered entities under HIPAA regulations. Under the HIPAA Security Rule (45 CFR § 164.308), covered entities must implement safeguards when working with business associates who handle protected health information (PHI).

What This Means for Patients

The $35 million settlement represents accountability for the breach, but the implications for affected patients extend far beyond financial compensation. Patients face several ongoing risks:

Identity Theft Risk: With Social Security numbers and comprehensive personal information exposed, affected individuals face heightened risk of identity theft that could persist for years.

Medical Identity Theft: The exposure of medical information creates opportunities for fraudsters to use patient identities to obtain medical services or prescription medications.

Financial Fraud: Access to financial information puts patients at risk for unauthorized charges, account takeovers, and other financial crimes.

Privacy Violations: The unauthorized disclosure of medical information represents a fundamental violation of patient privacy rights protected under HIPAA's Privacy Rule (45 CFR § 164.502).

How to Protect Yourself

If you believe you may have been affected by this breach, take these immediate steps:

Monitor Your Credit: Place fraud alerts on your credit reports with all three major credit bureaus (Experian, Equifax, and TransUnion). Consider freezing your credit reports to prevent unauthorized account openings.

Review Financial Statements: Carefully examine bank statements, credit card statements, and insurance explanations of benefits for any suspicious activity.

Check Medical Records: Request copies of your medical records from healthcare providers to ensure no fraudulent medical services appear in your file.

Document Everything: Keep detailed records of any suspicious activity, correspondence about the breach, and steps you've taken to protect yourself.

Consider Identity Monitoring: Enroll in identity monitoring services that can alert you to potential misuse of your personal information.

Stay Informed: Monitor communications from LabCorp and any legal proceedings related to the settlement to understand your rights and available resources.

Prevention Lessons for Healthcare Providers

This massive breach offers critical lessons for healthcare organizations about third-party risk management:

Vendor Due Diligence: Healthcare providers must thoroughly vet business associates' security practices before entering into contracts. This includes reviewing security assessments, certifications, and incident response capabilities.

Business Associate Agreements: Ensure comprehensive Business Associate Agreements (BAAs) that clearly define security obligations, breach notification requirements, and liability allocation as required under 45 CFR § 164.502(e).

Ongoing Monitoring: Implement continuous monitoring of business associate security practices rather than relying solely on initial assessments.

Incident Response Planning: Develop clear procedures for responding to business associate breaches, including notification timelines and patient communication strategies.

Risk Assessment: Regularly conduct risk assessments that include third-party relationships and implement appropriate safeguards as required by the HIPAA Security Rule.

Data Minimization: Limit the amount of PHI shared with business associates to only what is necessary for the intended purpose.

The LabCorp-AMCA breach settlement serves as a sobering reminder that healthcare organizations remain responsible for protecting patient information even when working with trusted business partners. As cyber threats continue to evolve, healthcare providers must maintain vigilance in protecting the sensitive information entrusted to them by patients.

This case also highlights the importance of comprehensive HIPAA compliance programs that address not just internal security practices but also the complex web of business relationships that characterize modern healthcare delivery.

Learn how HIPAA Agent can help protect your practice.