A third healthcare company has come forward and announced it was part of a data breach at American Medical Collection Agency. This time, Opko Health said that 423,000 individuals had their personal and financial records compromised as a result of unauthorized activity that occurred between August 1, 2018 and March 31, 2019.
The announcement follows similar ones from Quest Diagnostics and LabCorp, in which the personal and financial records of as many as 20 million individuals were compromised as a result of the unauthorized activity.
[EDITOR’S NOTE: Sign up for today’s free webinar, “Data Breaches: How to Keep Your Name Out of the Headlines.” The webinar, sponsored by InterProse, features a panel of information security experts sharing ideas about how to make sure something like this doesn’t happen to you.]
Among the information of Opko customers that was accessed was credit card and bank account information, email addresses and other data such as address, phone number and balance information. Opko said that Social Security numbers and bank account passwords were not compromised in the breach.
As many as 20 class-action lawsuits have already been filed against LabCorp, Quest, and AMCA, according to published reports. The suits allege that the companies did not notify customers soon enough after the breach was detected.
On top of the lawsuits, a number of states have opened investigations into the breaches and lawmakers are also asking questions of the companies involved.
AMCA has hired a communications company to help it manage its response to the situation. A representative of the company, Will Rasmussen, made the following statement: “We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. AMCA is providing 24 months of credit monitoring to anyone who had a Social Security number or credit card account compromised, even if the relevant state doesn’t require it. We remain committed to our system’s security, data privacy, and the protection of personal information.”