The AMCA breach happened between Aug. 1 and March 30, the company has said, though AMCA is not the entity that discovered the breach. According to Tatyana Shulman v. Laboratory Corporation of America Holdings, Gemini Advisors, a data security company that wasn’t working for AMCA, found a lot of compromised payment cards on a dark web market in late February — a month before the breach was stopped — and traced it back to the AMCA online portal. Gemini notified AMCA on March 1, but did not get responses to phone messages, so it notified federal law enforcement, which contacted AMCA.

The plaintiff in that suit, Shulman, was the victim of credit-card fraud twice during the data breach, according to her federal complaint.

Plaintiffs in these suits are calling AMCA’s security measures inadequate judging by the length of time — 242 days or about eight months — it took to detect, while technology security company FireEye says the median time to detect a breach in 2018 was 78 days, according to the Shulman complaint

The medical industry is a particular target of hackers, according to multiple complaints, and the FBI publicly warned the industry in 2014 that its security measures were not adequate, according to the Shulman complaint.