DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

American Medical Collection Agency breach impacted 200,000 patients – Gemini Advisory

Posted on May 10, 2019 by Dissent

A data breach involving a medical collection agency affected more than 200,000 patients who had used the firm’s online payment portal between September, 2018 and the beginning of March, 2019.

At the end of February, Gemini Advisory analysts identified a Card Not Present (CNP) database that had been posted for sale in a dark web market. The offering had been described as “USA|DOB|SSN,” and because CNP data is rarely sold with associated date of birth and Social Security numbers, their analysts suspected a compromise in an online portal that would collect these types of data as part of a transaction.

Through further analysis, Gemini analysts identified several top affected banks that primarily focus on Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs), Flexible Spending Accounts (FSAs), and Medicare Medical Savings Accounts (MSAs). These various medical accounts are used to pay health insurance deductibles, dental and vision care, and any other qualifying medical expenses.

In a statement to DataBreaches.net, Gemini Advisory’s Director of Research, Stas Alforov, explained:

On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA.

Gemini initially identified approximately 8,000 victims and hundreds of banks, but additional research revealed that the exposure window lasted for at least seven months beginning in September, 2018, and had affected more than 200,000 victims.

On March 1, 2019, Gemini Advisory attempted to notify AMCA, but tells this site that they did not get any response to phone messages they left. Not getting any response, Gemini promptly contacted federal law enforcement, who reportedly followed up by contacting AMCA.

Several days ago, DataBreaches.net e-mailed AMCA with questions about the incident, but received no response. Anyone attempting to use their payment portal over the past few weeks would have seen a notice, however:

AMCA’s payment portal was unavailable for weeks following notification by law enforcement that they had a problem.

DataBreaches.net does not know when AMCA first disabled their payment portal, but Google’s cache indicates that it had been disabled by April 8 at the latest. It could have been much sooner.

This week, the payment portal was operational again.

But there is no notice on the site about any breach and there is nothing on HHS’s breach tool from them.

Among the questions that AMCA did not answer was a question about HIPAA. I can find no reference to HIPAA on their site, but medical collection agencies generally have obligations under HIPAA and HITECH in the event of a breach and must have business associate agreements in place with HIPAA-covered entities that they provide billing/payment collection services to.

AMCA’s payment card breach posed greater risks for some of the patients than we usually think about with payment card breaches. Alforov explained why:

In a medical breach, personal debit and credit cards are not the only thing at stake. Health Savings Accounts (HSAs) are often tied to specialized debit cards that are used to make medical-based payments but can also be used for regular purchases at the cost of a severe tax penalty.

Account holders often only periodically use HSAs due to the incentives for accumulating funds that can later be withdrawn without any penalties during retirement, meaning that they are likely not as closely monitored for any daily unauthorized activities. Thus, they make easier targets for criminal actors who attempt to monetize the compromised data from medical breaches such as AMCA’s.

We are often encouraged to — and many of us do — routinely and regularly check our bank statements for unusual activity or check our credit card statements for signs of misuse. But if you have an account linked to a debit or credit card that you do not use except for paying medical bills in an emergency or it is your savings account for your future care, then criminals could be draining your account and you may not find out in time to report the theft to your bank. And without timely reporting, your bank might not restore your funds or cover your losses.

So if you are not doing it already, add “Regularly check ALL accounts — including the ones you are not currently using.” And where possible, put freezes on accounts that you don’t intend to use in the near future.

Regardless of whether AMCA is covered by HIPAA, they might find themselves in the unenviable position of debtors threatening to sue them for the breach. Think of the exchange, “If you keep hounding me for payment of this doctor’s bill, I will sue YOU and the doctor for violating my privacy and exposing me to embarrassment and possible fraud or identity theft.” What would AMCA or another collection agency do? Would they just drop the payment demands to protect themselves and their clients from litigation over the breach? Would they offer debtors a discount to compensate them?

This post will be updated if more details become available from AMCA about its HIPAA status or about the breach itself.

Category: Breach IncidentsHackHealth DataOf NoteSubcontractorU.S.

Post navigation

← Cyber-breach at Greenwich school poses ‘clear and present danger’
SNP faces fines for data protection breach after election mailing error →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.