A data breach impacted an estimated 20 million patients from three medical testing labs. The breach was connected to the collection agency used by the lab to manage billing. At this time, it appears the breach occurred for eight months before the lab became aware of the issue.
Thus far, at least one case involved medical data.
How did we learn of the breach?
The American Medical Collection Agency became aware of the breach after notification from a third-party security compliance firm. Diagnostic labs who used the collection agency filed notice of the breach with the US Securities and Exchange Commission (SEC). Lab officials state the breach involved customers’ names, dates of birth, contact information and medical provider as well as credit card or bank information.
The extent of the breach depends on how each lab used the agency. Some state the company that was the subject of the breach was only privy to billing information, while others provided medical data.
What is the impact of this breach?
Lawmakers and the public are not taking the breach lightly. The breach has led to the following:
- Proposed laws. Lawmakers have proposed legislation to increase data security protections.
- Increased audits. The breach may result in increased government audits of diagnostic labs. These audits can include a review of billing practices.
News of the breach provides an opportunity for diagnostic labs to conduct an internal audit. Check to make sure all billing practices are in full compliance with applicable regulations and make changes as needed.
