Information about the AMCA Data Security Incident

Trump BingateJuly 12, 2019

On June 4, 2019, LabCorp announced that it has been notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (AMCA) about unauthorized activity on AMCA’s web payment page. AMCA is an external collection agency that was used by LabCorp and other companies. LabCorp referred patient balances to AMCA when our direct collection efforts were unsuccessful. AMCA’s affected system contained information provided by LabCorp and patients.
LabCorp systems and the data on our systems were not affected by the AMCA incident.
LabCorp did not provide test, laboratory results, or clinical information to AMCA.
AMCA indicates that it did not maintain Social Security Numbers or insurance information for LabCorp patients.
AMCA’s affected system may have contained patient personal information provided by LabCorp and, for a more limited number of patients, financial information provided by the patient to AMCA.
LabCorp takes data privacy and security very seriously, including the security of data handled by vendors.
We continue to investigate and to work with AMCA to learn more about this incident.
Please review the information below to learn more about the AMCA incident, and check back regularly to obtain the most current, updated information we are able to provide.
The notice that LabCorp filed on June 4, 2019, can also be reviewed here.
1. AMCA Is An External Collection Agency Whose IT Systems Experienced Unauthorized Activity
AMCA is an external collection agency used by LabCorp and other companies.
LabCorp referred patient balances to AMCA when our direct collection efforts were unsuccessful.
According to AMCA, there was a security incident involving unauthorized activity on an AMCA information technology system between August 1, 2018 and March 30, 2019.
AMCA’s affected system contained information provided by LabCorp and patients.
The limited information provided by LabCorp to AMCA included patient personal information, but did not include test, laboratory results, or clinical information.
The information on AMCA’s affected system did not contain Social Security Numbers or insurance information for LabCorp patients.
AMCA’s affected system may have contained credit card or bank account information that patients provided to AMCA to make payments.
LabCorp has not yet been allowed to independently verify the information provided by AMCA about the AMCA incident. Our investigation is ongoing.
2. LabCorp Takes Data Security Very Seriously
LabCorp takes data privacy and security very seriously, including the security of data handled by vendors.
LabCorp has made and will continue to make significant investments to enhance the security of its information technology and data systems.
3. LabCorp Systems And Data On Those Systems Were Not Affected
This incident affected AMCA’s system and the data stored on that system, which is completely separate from LabCorp.
LabCorp’s systems and data stored in LabCorp’s systems were not affected by the AMCA incident.
This incident affected AMCA’s system and the data stored on that system, which is completely separate from LabCorp.
We recognize our responsibility to secure the data of our patients and providers, and we are committed to protecting the integrity of that information.
4. There Is No Connection Between the AMCA Incident And LabCorp’s July 2018 Ransomware Incident
The current AMCA incident and the July 2018 LabCorp ransomware incident are completely separate.
5. AMCA’s System Did Not Include Healthcare Information Or Social Security Numbers
Approximately 7.7 million patients had information on AMCA’s affected system that was provided by LabCorp.
LabCorp did not provide ordered test, laboratory results, or clinical information to AMCA.
AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp patients.
Information provided by LabCorp to AMCA could include first and last name, date of birth, address, phone, date of service, provider, and balance information.
AMCA has indicated that its affected system also included credit card or bank account information that was provided to AMCA by approximately 200,000 patients when they made payments.
6. AMCA Had Information Only For LabCorp Consumers Whose Accounts Were Referred For Collection
The AMCA incident involves only patients whose LabCorp accounts were referred to AMCA for collection after LabCorp’s own direct collection efforts were unsuccessful.
Consumers whose accounts were not referred to AMCA are not affected.
LabCorp continues to investigate the AMCA incident and is continuing to work diligently to obtain from AMCA more information about which patients were included in AMCA’s affected system.
LabCorp will take additional steps that may be appropriate, including making any required notifications, once more is known about the AMCA incident.
7. Steps Being Taken By LabCorp​
Once notified, LabCorp immediately ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on any pending collection requests involving LabCorp patients.
LabCorp continues to investigate the AMCA incident and is continuing to work diligently to obtain from AMCA more information about which patients were included in AMCA’s affected system.
LabCorp will take additional steps that may be appropriate, including making any required notifications, once more is known about the AMCA incident.
8. Steps Being Taken By AMCA
AMCA has indicated that it is continuing to investigate this incident; that it has taken steps to increase the security of its systems, processes, and data; and that it has been in contact with law enforcement regarding the incident.
AMCA has advised LabCorp that AMCA intends to provide more specific information to approximately 200,000 LabCorp patients who had certain financial information in AMCA’s affected system.
AMCA has indicated that it will offer identity protection and credit monitoring services for 24 months to those patients it notifies about this incident.
9. Steps That Concerned Consumers Can Take
Consumers who receive a notice letter from AMCA should follow the steps outlined in that letter.
Consumers who have not received a letter from AMCA, but have questions, can call LabCorp or AMCA at the numbers below.
Consumers may also seek information about what steps they should consider from other trusted sources, such as the U.S. Federal Trade Commission, 1-877-IDTHEFT (1-877-438-4338); www.ftc.gov/idtheft. Many states also provide guidance about responding to a data security incident.
10. Phone Numbers To Request Additional Information
Individuals and clients with questions can contact LabCorp Customer Service at 888-295-0466.
Individuals can also contact AMCA directly at 800-666-8097.

Categories