Are your Business Associates protecting your patient data?

This week, American Medical Collection Agency (AMCA), the billing collections vendor for both Quest Diagnostics and LabCorp, reported to both companies that the data of nearly 20 million of their customers may have been compromised.

First, Quest Diagnostics said on Monday it was notified by AMCA that an unauthorized user gained access to information on nearly 11.9 million patients between Aug. 1, 2018, and March 30, 2019. Then on Tuesday, LabCorp was notified that there was unauthorized access to AMCA systems during the same time period and 7.7 million of its customers may be affected. LabCorp and Quest Diagnostics both confirmed patients’ personal information, Social Security numbers and credit card information may have been compromised after malicious activity was found on the payment pages of AMCA. 

“This once again shows how important IT security reviews are to entities and Business Associates they hand off their patient data to,” said Ron Bebus, IT consultant for PrivaPlan. When these millions of patients had their blood drawn or other medical testing done, they didn’t see the name of the third party vendor who takes care of the billing, in this case AMCA.  Patients were taken care of by LabCorp or Quest and so when those names pop up in the headlines and they learn their personal data may be at risk, it is easy to overlook who’s really behind the issue.

While LabCorp and Quest can point to the vendor as being at fault, their customers may not see it that way and their reputations are marred, not AMCA’s. The name AMCA means nothing to the consumer.

This unfortunate event is a great reminder to review all your Business Associate Agreements (BAA) and to identify all patient data that is being shared with them. PrivaPlan performs complete reviews of their customer BAAs, even reviewing the Accounts Payables with accounting to identify any transactions that might require additional BAAs.  

Also, PrivaPlan can assist you in reviewing your Business Associates’ systems and procedures for handling data, much like they do for covered entities in their annual Security Risk Assessments.  Contact us today for more information at 1-877-218-7707 or

Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.