by Keith Barthold
All three companies in a recent, massive healthcare data breach—with a combined at-risk population of more than 20 million consumers—used American Medical Collection Agency (AMCA) as their third-party billing collections service provider, whose online payment pages are responsible for the massive data breach that exposed consumers’ financial, medical, and personal information.
Just when you hadn’t heard of a monster data/security compromise in months, you find out you’re just as vulnerable as ever and cyberthreats are even more sophisticated and aggressive.
The Good News
AMCA seems to have taken some responsible and significant steps to combat these breaches. They contacted the appropriate law enforcement agencies, suspended collection requests, and sent notices to several hundred thousand potentially affected consumers.
Furthermore, an AMCA spokesman confirmed that, upon receiving information from a security compliance firm about the possible security compromise, “AMCA conducted an internal review and hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security.”
According to the disclosure statement sent to the SEC, the compromised information could include name, birth date, address, date of service, phone number, balance information, and payment information, but the system at risk does not store social security numbers or insurance identification data. It’s not as bad as it could have been.
The Not-So-Good News
AMCA should be commended for their post-breach remediation activity but there are some clear signposts of lack of security readiness by AMCA. In this instance, the criminals that breached AMCA were undetected for eight months until they identified the issue and started working on a solution. It seems that if they had used a comprehensive strategic security platform including breach detection 24/7/365 monitoring, the proper detection would have occurred much sooner.
These incidents are wake-up calls for collection companies who are using digital engagement mechanisms to interact with and collect payments from consumers. While some companies are looking to cut costs in these areas, it can lead to disasters. And those companies using third-party services for their billing and collections need to make sure that they are as safe, secure, and as highly monitored as possible.
In addition to all the reputational damage these companies are undergoing, multiple class action lawsuits have been field against Quest Diagnostics and LabCorp since they disclosed personal and medical customer information. On June 3, 11 class action suits were filed against Quest from multiple states. Since then, eight more were filed in federal courts.
The Best News
Whatever industry you’re in, you’ve got to know the risks. Healthcare, in particular, is especially susceptible to data breaches because of the amount and sensitivity of personal and financial data. It also tends to focus less on cybersecurity.
You have to develop the right game plan. Organizations need the technological infrastructure, the appropriate policies and procedures, and the commitment to the collective execution that it takes to be cyber secure in the world today. Companies that stay safe are the one that planned to stay safe and followed through with their plan.
You can win the cybersecurity battle. You just have to be alert, equipped, and consistent. Anything less and you’re facing a remediation and reputation nightmare like what’s facing AMCA, Quest, LabCorp, and many others.