A couple of weeks ago, Quest Diagnostics and LabCorp, two companies in the medical healthcare field, announced that they had been affected by a data breach. As it turned out, the root of the actual HIPAA data breach lay with a debt collection firm, the American Medical Collection Agency (AMCA). This week, AMCA’s parent company filed for Chapter 11 protection.
In its bankruptcy paperwork, the company lay the blame for its financial distress squarely on the data breach.
While the total number of people affected is not known yet, over 20 million have been affected… potentially. As it turns out, AMCA has admitted that they had no way of knowing who had and hadn’t been affected by their 8-month long data snafu. So, they had to conclude that everyone must have been (the initial claim was 200,000 people. That’s missing two zeros). The media know that the following companies’ patients were affected:
- Quest Diagnostics: 11.9 million
- LabCorp: 7.7 million
- BioReference Laboratories: 423,000
- Carecentrix: 500,000
- Sunrise Laboratories: n/a
Because AMCA is a debt collection agency, it has been pointed out (as the initial news of the breach made the rounds) that a lot of companies would be affected by this latest information security incident: While the numbers above make it obvious that AMCA had a direct business relationship with Quest and LabCorp (severed since the breach), it’s common practice for collection agencies to buy debt from others and pursue any leads. If AMCA was engaged in this common industry practice, then it’s possible that many, many smaller counts of people (think groups of 1,000 or less) associated with medical firms and private practices would join the ranks of Quest et al.
BAs Sending Out Notifications – Is It for LabCorp?
According to healthitsecurity.com, AMCA’s parent company “has spent $3.8 million to mail over 7 million individual notices to individual breach victims” as part of the company’s efforts to deal with HIPAA’s notification requirements. Whether this is the first batch of notifications by the company or is the final count of letters sent is not specified.
AMCA sending out notifications is a little unusual, since one would imagine that the collection agency is not the owner (that is, the primary holder) of the patient data. Under HIPAA, a third party to medical practices, like bill collectors, is classified as a business associate (BA), and generally report the data breach to the data owner (the hospitals, clinics, and other medical entities that collect the patient’s information be it medical, financial, or otherwise). So, the expectation is that Quest, LabCorp, and others would be spending money to reach out to those affected by the data breach.
Of course, it could be that Quest and others have an agreement with their BAs that, if the BA is the source of the data breach, then it would fall on business associates to send the notification letters. After all, HIPAA doesn’t prevent a third party from paying for notifications; it only requires that affected people are notified on a timely basis.
Of the companies listed above, LabCorp alone seems to fit the description of “over 7 million individuals.” It should be noted that LabCorp’s patient data that was breached only included:
first and last name, date of birth, address, phone, date of service, provider, and balance information.
You’ll notice that there is no medical data whatsoever, unlike other companies affected by the breach. While the following is speculation, combine these two pieces of information, and all signs seem to indicate that LabCorp really gave thought to what would happen in the event of a medical data breach, and how they wanted to be protected.
Of course, all HIPAA covered entities are supposed to do this. However, as this single incident shows, not all do it; at least, they don’t do it correctly. Indeed, if industry sources are to be believed, it’s rarely done, correctly or otherwise. The consensus appears to be that people just check to fulfill the minimum requirements and call it a day. That is not, however, what HIPAA requires of covered-entities and business associates. At all.
Credit Card Processors Could Have Done In AMCA?
If you read the Chapter 11 filing, you’ll find this footnote (our emphasis):
While the Debtor [AMCA’s parent company] was encouraged by the emergence of some significant clients that expressed an interest in continuing business with the Debtor, that prospect was quickly undermined by Visa and Mastercard, who insisted on onerous and impossibly expensive conditions (including the likely imposition of contractual “fines”) on the Debtor’s going-forward ability to accept credit card payments (which they gave no assurances would be processed even if the conditions were met) in what seemed to me to be short-sighted refusal to work in good faith with a long-standing customer with which they had never had any issues before.
This should be an eye-opener for those doing business, no matter what that business may be (if you’re asking yourself, “can Visa and Mastercard do that?” The answer is “yes; all of them can, not just those two.” They are, after all, private companies).
But it may be even more of an eye-opener to medical entities. In the past five years or so, as HIPAA/HITECH rules got “more onerous” and “more strictly enforced,” those associated with the medical sector loudly complained about the federal “guideline” (which, let’s face it, it’s not a guideline – at least, not the way laypeople interpret that word) for being… well, onerous and enforced.
But perhaps, in light of this latest revelation, HIPAA’s heavy-handedness ought to be interpreted as looking out for patients and medical companies: If you’re involved in a massive patient data breach, something other than HIPAA could sink your business.
Of course, Visa and Mastercard’s actions are related to HIPAA; but not in the way you may suppose. There have been many companies and organizations that are covered-entities and have had massive data breaches. They, as far as one can tell, have never had their business sink because of their information security incidents. So, there must have been something about AMCA that led the processors to determine that, with the addition of a massive breach, it was not really worth doing business with it.
Credit-card processors are the original “big data” companies. In fact, they’re the ones that figured out that AMCA had a data breach on its hands using their tremendous amounts of real-time data. But, even when you’re quite adept with big data, you need a signal of sorts to guide you where to look.
It wouldn’t be surprising to find out that, with the power of big data, and the breach acting as a signal, the two processors decided to look more closely into AMCA’s business, decided it was risker than they initially thought, and decided to balance it out by “insisting on onerous and impossibly expensive conditions.”
Related Articles and Sites: