More healthcare providers have confirmed that they were affected by American Medical Collection Agency (AMCA) data breach over the last few days. To date, there are 18 healthcare providers who were affected and over 25 million were considered victims.

Retrieval Masters Credit Bureau (RMCB), AMCA’s parent company, discovered the AMCA breach on March 21, 2019. The breach investigation revealed that the hacker had accessed the AMCA payment web site for about 8 months. In that amount of time, the hacker had access to an enormous volume of sensitive patient data, which include Social Security numbers and financial data.

AMCA advised all affected entities about the breach in May 2019, but released only limited details. The majority of covered entities impacted by the breach did not have enough information particularly about the identification of the affected patients. The first to declare that it was affected by the breach was Quest Diagnostics, then LabCorp followed by BioReference Laboratories. A lot more healthcare organizations submitted breach reports in the previous week.

AMCA has been sending breach notification letters to the people who had their financial data exposed, however there are others who have not received the notification yet. One example is Austin Pathology, which recently announced that it was impacted by the breach. AMCA told Austin Pathology that it sent notifications to approximately 1,800 Austin Pathology patients who had their financial data exposed.

According to Austin Pathology, 46,500 of its patients were impacted by the breach. AMCA has not sent notifications yet to the 44,700 patients who potentially had the following information exposed: name, address, phone number, birth date, dates of service, provider specifics, and account balances. It may take weeks to notify all the affected patients.

Here is the list of entities affected by the AMCA data breach and the number of records exposed. To date, the number of individuals whose protected health information (PHI) were exposed stands at 25,102,690.

Quest Diagnostics/Optum360 -12,900,000

LabCorp – 7,700,000

BioReference Laboratories/Opko Health – 422,600

Penobscot Community Health Center – 13,000

Clinical Pathology Associates – 2,200,000

American Esoteric Laboratories – 541,900

Carecentrix – 500,000

Sunrise Medical Laboratories – 427,000

CBLPath Inc. – 148,900

Laboratory Medicine Consultants – 147,600

Austin Pathology Associates – 46,500

South Texas Dermatopathology PLLC – 16,100

Pathology Solutions – 13,300

Seacoast Pathology, Inc – 10,000

Arizona Dermatopathology – 7,000

Laboratory of Dermatology ADX, LLC – 4,240

Western Pathology Consultants – 4,550

Natera – Unconfirmed

As it is now, the second largest healthcare data breach that ever got reported is the AMCA data breach. The first is the 78.8 million-record Anthem data breach in 2015.

As of June 19, 2019, AMCA already spent $3.8 million on its breach response. Over 7 million breach notification letters were sent. IT consultants were retained to investigate. RMCB CEO Russell Fuchs lent AMCA $2.5 million to cover the breach notifications cost. Then, RMCB filed for Chapter 11 protection.

Both state attorneys general and the HHS’ Office for Civil Rights are going to investigate AMCA to find out if the breach could be linked to poor security and HIPAA violations. OCR has fined defunct organizations for HIPAA violations in the past. Bankruptcy doesn’t protect against regulatory penalties.