On June 6, 2019, Bleepingcomputer.com reported that “Medical tests and medication firm OPKO Health Inc present in over 30 countries says that one of its subsidiaries, BioReference Laboratories Inc, was notified by American Medical Collection Agency (AMCA) of unauthorized activity on its web payment page.”
Bleepingcomputer.com also reported that:
This new breach notification follows previous breach reports received by diagnostic services provider Quest Diagnostics Incorporated and Laboratory Corporation of America Holdings (LabCorp) from AMCA.
In these two breaches alone, roughly 19 million of their customers having been impacted by unauthorized access to the companies’ data stored on AMCA’s systems. [Emphasis added.]
On June 7, 2019, TechNadu.com reported the following:
OPKO Health Inc., the Miami-based medical products, diagnostics, and pharmaceuticals company has announced a customer data breach that affects about 422600 of their customers. The records concern clients from all around the globe, as the company has a presence in 30 different countries through its subsidiaries. As we discussed only two days ago, when we presented the LabCorp breach, the company responsible for this mess is AMCA (American Medical Collection Agency). AMCA has been breached by hackers, and since the company has many collaborators, we will keep seeing news like this surface every day.
Last week, it was LabCorp with 7.7 million customers and a couple of days earlier than that it was Quest Diagnostics with 12 million patient data. This makes the OPKO Health number of exposed people pale in comparison to the above, but 422.6k records are by no means a laughable amount, especially when it concerns highly sensitive diagnostics or even payment information. According to the information that surfaced through the filing with the U.S. Securities and Exchange Commission . . . , the customer data that was leaked to the public includes patient name, DoB, address, phone, date of service, provider, and balance information. [Emphasis added.]
In a recent Form 8-K Filing, OPKO Health, Inc. disclosed the following:
On or around June 3, 2019, BioReference Laboratories, Inc. (“BioReference”), a subsidiary of OPKO Health Inc. (the “Company”), was notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (“AMCA”) about unauthorized activity on AMCA’s web payment page (the “AMCA Incident”). AMCA is an external collection agency that has been used in the past by BioReference and other healthcare companies. According to AMCA, the unauthorized activity occurred between August 1, 2018, and March 30, 2019. AMCA has advised BioReference that data for approximately 422,600 patients for whom BioReference performed testing was stored in the affected AMCA system. AMCA advised that AMCA’s affected system includes information provided by BioReference that may have included patient name, date of birth, address, phone, date of service, provider, and balance information. In addition, the affected AMCA system also included credit card information, bank account information (but no passwords or security questions) and email addresses that were provided by the consumer to AMCA. AMCA has advised BioReference that no Social Security Numbers were compromised, and BioReference provided no laboratory results or diagnostic information to AMCA. BioReference has not been able to verify the accuracy of the information received from AMCA.
AMCA advised BioReference that it is sending notices to approximately 6,600 patients for whom BioReference performed laboratory testing and whose credit card or bank account information was stored in AMCA’s affected system. AMCA indicated that it will provide these affected patients with more specific information about the AMCA Incident in addition to offering them identity protection and credit monitoring services for 24 months. AMCA has not yet provided BioReference a list of the affected patients or more specific information about them. AMCA has advised BioReference that AMCA is providing notice to state attorneys general and other state agencies as required by applicable state data breach laws.
AMCA has reported to BioReference that it is continuing to investigate this incident, has reported the AMCA Incident to law enforcement and has taken steps to increase the security of its systems, processes, and data, including shutting down its web payments page, migrating it to a third-party vendor, and hiring a cybersecurity firm to implement various safeguards to increase security. BioReference and the Company take data security very seriously, including the security of data handled by vendors. BioReference is currently seeking to obtain more information from AMCA and plans to promptly take additional steps as may be appropriate once more is known about the AMCA Incident.
BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA. In addition, BioReference has requested that AMCA cease continuing to work on any pending collection requests involving BioReference patients. [Emphasis added.]