More than 400,000 Opko health customers affected by AMCA data breach



OPKO Health Inc, a medicines firm based in more than 30 countries, says that one of its subsidiaries, BioReference Laboratories Inc., was advised of unauthorized activity on its web page by the American Medical Collection Agency (AMCA).

This new violation report follows previous infringement reports from Quest Diagnostics Incorporated and AMCA’s (LabCorp) diagnostic services provider.

Roughly 19 million of its customers were affected in these two infringements alone by unauthorized access to the data of companies stored on AMCA systems.

According to a filing with U.S. Securities and Exchange Commission (SEC), AMCA told OPKO Health’s subsidiary that, between 1.1.2018 and 30.03.2019, an unauthorized party had access to the BioReference medical test data for around 422,600 patients.

Moreover, the data accessed included payment information and PII data:

AMCA indicated that BioReference may have included patient name, date of birth, address, telephone, service date, provider, and equilibrium information in the affected system. Moreover, credit card information, bank account information (but not passwords or security questions) and email adresses provided by the consumer to the AMCA were included in the affected AMCA system.

AMCA told BioReference “no social security figures have been compromised” and “no laboratory results or diagnostic information” was provided and saved on AMCA systems according to OPKO Health subsidiary.

In addition, AMCA sends infringement notifications to “6,600 patients for whom BioReference carried out laboratory testing,” the bank account and credit card information on the infringed systems.



The AMCA will also inform State Procurators and other State Agencies of the data failure as required by applicable laws in relation to state data breaches. The billing collection provider has also reported the “AMCA Incident” to law enforcement authorities and has shut down the broken web page for payment:

AMCA informs BioReference that it continues to investigate this incident, report to law enforcing the AMCA Incident and has taken steps to improve the security of its systems, processes, and data, including shutting off its web payments page, migrating it to a third-party vendor and hiring a cybersafety company to implement various security safeguards.

According to BioReference in the violation report submitted to the SEC, since October 2018, there have been no collection requests sent to AMCA and AMCA was also requested “to stop further processing any pending requests for collection of patients from BioReference.”

AMCA is the ‘ leading patient recovery agency ‘ according to its website and “manages over $1 BN in yearly receivables to a diverse client base,” serving ‘ laboratories, hospitals, doctors groups, billing services and medical providers throughout the country.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.