A data breach involving a medical collection agency affected more than 200,000 patients who had used the firm’s online payment portal between September, 2018 and the beginning of March, 2019.
At the end of February, Gemini Advisory analysts identified a Card Not Present (CNP) database that had been posted for sale in a dark web market. The offering had been described as “USA|DOB|SSN,” and because CNP data is rarely sold with associated date of birth and Social Security numbers, their analysts suspected a compromise in an online portal that would collect these types of data as part of a transaction.
Through further analysis, Gemini analysts identified several top affected banks that primarily focus on Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs), Flexible Spending Accounts (FSAs), and Medicare Medical Savings Accounts (MSAs). These various medical accounts are used to pay health insurance deductibles, dental and vision care, and any other qualifying medical expenses.
In a statement to DataBreaches.net, Gemini Advisory’s Director of Research, Stas Alforov, explained:
On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA.
Gemini initially identified approximately 8,000 victims and hundreds of banks, but additional research revealed that the exposure window lasted for at least seven months beginning in September, 2018, and had affected more than 200,000 victims.
On March 1, 2019, Gemini Advisory attempted to notify AMCA, but tells this site that they did not get any response to phone messages they left. Not getting any response, Gemini promptly contacted federal law enforcement, who reportedly followed up by contacting AMCA.
Several days ago, DataBreaches.net e-mailed AMCA with questions about the incident, but received no response. Anyone attempting to use their payment portal over the past few weeks would have seen a notice, however:
DataBreaches.net does not know when AMCA first disabled their payment portal, but Google’s cache indicates that it had been disabled by April 8 at the latest. It could have been much sooner.
This week, the payment portal was operational again.
But there is no notice on the site about any breach and there is nothing on HHS’s breach tool from them.
Among the questions that AMCA did not answer was a question about HIPAA. I can find no reference to HIPAA on their site, but medical collection agencies generally have obligations under HIPAA and HITECH in the event of a breach and must have business associate agreements in place with HIPAA-covered entities that they provide billing/payment collection services to.
AMCA’s payment card breach posed greater risks for some of the patients than we usually think about with payment card breaches. Alforov explained why:
In a medical breach, personal debit and credit cards are not the only thing at stake. Health Savings Accounts (HSAs) are often tied to specialized debit cards that are used to make medical-based payments but can also be used for regular purchases at the cost of a severe tax penalty.
Account holders often only periodically use HSAs due to the incentives for accumulating funds that can later be withdrawn without any penalties during retirement, meaning that they are likely not as closely monitored for any daily unauthorized activities. Thus, they make easier targets for criminal actors who attempt to monetize the compromised data from medical breaches such as AMCA’s.
We are often encouraged to — and many of us do — routinely and regularly check our bank statements for unusual activity or check our credit card statements for signs of misuse. But if you have an account linked to a debit or credit card that you do not use except for paying medical bills in an emergency or it is your savings account for your future care, then criminals could be draining your account and you may not find out in time to report the theft to your bank. And without timely reporting, your bank might not restore your funds or cover your losses.
So if you are not doing it already, add “Regularly check ALL accounts — including the ones you are not currently using.” And where possible, put freezes on accounts that you don’t intend to use in the near future.
Regardless of whether AMCA is covered by HIPAA, they might find themselves in the unenviable position of debtors threatening to sue them for the breach. Think of the exchange, “If you keep hounding me for payment of this doctor’s bill, I will sue YOU and the doctor for violating my privacy and exposing me to embarrassment and possible fraud or identity theft.” What would AMCA or another collection agency do? Would they just drop the payment demands to protect themselves and their clients from litigation over the breach? Would they offer debtors a discount to compensate them?
This post will be updated if more details become available from AMCA about its HIPAA status or about the breach itself.