A data breach at billing collections service provider American Medical Collection Agency (AMCA) could impact many of the company’s customers. One victim is medical testing firm Quest Diagnostics and roughly 12 million of its patients.
AMCA has yet make public any details about the breach, but in a filing with the U.S. Securities and Exchange Commission (SEC) Quest revealed that hackers had access to AMCA systems between August 1, 2018 and March 30, 2019.
AMCA provides services to Optum360, a revenue cycle management provider contracted by Quest. Optum360 and Quest were informed by AMCA about the security incident on May 14.
According to the available information, attackers compromised AMCA’s payment portal and they gained access to financial, medical and other personal information, including social security numbers, credit card numbers and bank account information. However, in a statement sent to SecurityWeek, Quest said laboratory test results were not exposed.
“AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA,” Quest stated. “Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.”
SecurityWeek has reached out to AMCA for comment, but the company has yet to respond. On its website, the company describes itself as “the leading recovery agency for patient collections.” It claims to manage over $1 billion in annual receivables for a diverse client base, including labs, hospitals, physician groups, billing services and medical providers.
According to DataBreaches.net, which broke the news about a breach at AMCA on May 10, researchers at Gemini Advisory, which monitors the dark web for compromised credentials and financial information, came across payment card information for roughly 200,000 individuals. An analysis showed that the data likely came from AMCA. AMCA did not respond to Gemini Advisory, but the company suspended its payment portal after the cybersecurity firm notified federal law enforcement.
“Once again, a breach that results from third party vulnerabilities,” Colin Bastable, CEO of Lucy Security, told SecurityWeek. “Outsourcing billing to third party vendors is a great way to extract efficiencies by reducing core costs, but it exposes the business and its customers to uncontrollable security risks. The fragmented healthcare industry, like the fragmented home finance and buying industry, is vulnerable because there are so many moving parts, so many areas where bad actors have multiple points of entry to exploit inadequate security.”
UPDATE. AMCA has provided SecurityWeek the following statement:
“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”
Related: Lab Testing Firm Eurofins Scientific Hit by Ransomware
Related: Managed Healthcare Provider Humana Discloses Data Breach
Related: Healthcare Firm EmCare Says 60,000 Employees and Patients Exposed in Breach

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
Latest News
- Patient Information Compromised in Data Breach at San Diego Healthcare Provider
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
