Quest Diagnostics and AMCA: When Your Billing Vendor Exposes 20 Million Patient Records

On June 3, 2019, Quest Diagnostics — one of the largest clinical laboratory companies in the United States — disclosed that an unauthorized user had accessed the systems of its billing collections vendor, the American Medical Collection Agency (AMCA), for approximately eight months between August 1, 2018, and March 30, 2019. The breach exposed the personal, financial, and medical information of approximately 20 million Quest Diagnostics patients. Within weeks, additional victims emerged, including 12 million LabCorp patients and nearly 423,000 BioReference Laboratories patients. AMCA filed for bankruptcy protection less than three weeks after the breach was publicly disclosed.

The Breach Timeline

The AMCA breach went undetected for eight months — a timeline that underscores the dangers of inadequate monitoring of third-party vendor environments:

• August 1, 2018: Unauthorized access to AMCA's web payment system begins.
• March 30, 2019: AMCA is first notified of the compromise by a cybersecurity compliance firm that discovered AMCA patient data for sale on the dark web.
• May 2019: AMCA notifies Quest Diagnostics and LabCorp of the breach.
• June 3, 2019: Quest Diagnostics publicly discloses the breach in an SEC filing.
• June 4, 2019: LabCorp discloses that 7.7 million of its patients were affected (later revised to 12 million).
• June 17, 2019: AMCA's parent company, Retrieval-Masters Creditors Bureau, files for Chapter 11 bankruptcy protection.

Data Compromised

The data exposed in the breach included highly sensitive personal and medical information:

• Social Security numbers
• Financial account information (credit card and bank account numbers)
• Medical information (though Quest stated that laboratory test results were not included)
• Personal identifiers (names, dates of birth, addresses, phone numbers)

The combination of financial and medical data made this breach particularly dangerous for victims, who faced risks of both financial fraud and medical identity theft.

A Third-Party Risk Management Failure

The AMCA breach is a case study in the risks organizations face when outsourcing critical functions to third-party vendors without adequate ongoing oversight. Several factors make this incident especially instructive for TPRM professionals:

Concentration risk: AMCA served as a billing collections vendor for multiple major healthcare laboratory companies simultaneously. This meant that a single vendor compromise exposed patients across the entire industry. Quest Diagnostics, LabCorp, BioReference Laboratories, and other healthcare organizations were all affected because they shared a common third-party vendor.

Delayed detection: The breach persisted for eight months before discovery, and it was not AMCA's own security systems that detected it — it was an external compliance firm that found patient data for sale on the dark web. This suggests that AMCA lacked adequate intrusion detection, log monitoring, and security operations capabilities.

Delayed notification: Even after AMCA learned of the breach in March 2019, it did not notify its healthcare clients until May 2019 — a two-month delay that further limited the affected organizations' ability to respond and notify patients promptly.

Regulatory and Legal Consequences

The AMCA breach triggered a wave of regulatory and legal action:

• Bankruptcy: AMCA's parent company, Retrieval-Masters Creditors Bureau, filed for Chapter 11 bankruptcy on June 17, 2019, citing the costs of breach notification, IT remediation, and anticipated legal liabilities. The company disclosed it had sent breach notification letters to approximately 7 million individuals at a cost of $3.8 million — a cost that was unsustainable for a company of its size.
• State attorneys general investigations: Multiple state attorneys general launched investigations into the breach and AMCA's data security practices.
• Class action lawsuits: Numerous class action lawsuits were filed against AMCA, Quest Diagnostics, and LabCorp on behalf of affected patients.
• HHS breach notification: The breach was reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, which maintains a public database of healthcare breaches affecting 500 or more individuals.
• Congressional scrutiny: Several members of Congress wrote to Quest Diagnostics and LabCorp demanding information about their vendor oversight practices and how a billing vendor was able to store such large volumes of sensitive patient data.

Lessons for Healthcare Vendor Risk Management

The AMCA breach highlighted systemic weaknesses in how healthcare organizations manage third-party vendor risk:

• Assess vendor security maturity. AMCA was a relatively small billing collection agency handling extremely sensitive data for Fortune 500 healthcare companies. The mismatch between the sensitivity of the data and the vendor's security capabilities should have been flagged in a thorough TPRM assessment.
• Require contractual breach notification SLAs. The two-month delay between AMCA's discovery of the breach and notification to its clients is unacceptable. Contracts should require notification within 24-72 hours.
• Monitor for data on the dark web. In this case, the breach was detected by an external firm finding patient data for sale online. Organizations should implement or contract for dark web monitoring services that can detect exposed data.
• Evaluate vendor financial stability. AMCA's rapid descent into bankruptcy left affected organizations without a functioning vendor and limited the ability to conduct forensic investigations. Vendor financial health is a key TPRM risk indicator.
• Minimize data sharing. Healthcare organizations should evaluate whether billing vendors truly need access to Social Security numbers, medical information, and full financial account details, or whether de-identified or tokenized data could serve the same purpose.

The AMCA breach remains one of the most consequential healthcare vendor compromises in history. It demonstrated that third-party risk management in healthcare is not merely a compliance exercise — it is a patient safety imperative. When a billing vendor can expose 20 million patient records and then go bankrupt, the organizations that entrusted it with patient data bear responsibility for their failure to adequately assess and monitor the vendor relationship.