Like Local 3 News on Facebook:
LANSING – Michigan Attorney General Dana Nessel announced today she will issue letters to three companies demanding information about a data breach affecting 12 million people around the country. The number of Michigan residents who may be affected is not known at this time.
The breach involved at least three companies – American Medical Collection Agency (AMCA), Quest Diagnostics and Optum360. New York-based AMCA provides medical debt collection services to Quest Diagnostics and other health providers and health plans that have not yet been named. Optum360 contracted with AMCA to provide services to Quest. The breach affected 12 million of Quest’s patients, whose personal information was maintained by AMCA. It does not appear that AMCA has provided any public notice of this breach.
According to information reported publicly by Quest on June 3, Quest was notified of the breach by AMCA on May 14 and provided with the number of impacted patients on May 31. Quest reports it has not yet received detailed or complete information from AMCA, including the names and addresses of affected patients.
“This data breach is yet another example of how fragile our information infrastructure is, and how vulnerable all of us are to cyber hacking,” said Attorney General Dana Nessel. “And here in Michigan, we continue to rely on media reports that alert us to these terrible situations because – unlike most other states – we have no law on the books that requires that our office be notified when a breach occurs. I am determined to get information quickly and accurately to take steps to protect our residents.”
Nessel’s office determined that Quest reported to the US Securities and Exchange Commission that, between August 1, 2018 and March 30, 2019, an unauthorized user had access to AMCA’s system, which included financial information (credit card numbers, bank account information) medical information and other personal information (including social security numbers).
“This breach is particularly troubling for several reasons,” said Nessel. “First, it appears this is a deliberate hack that increases the likelihood that accessed information may be used to commit fraud.
“Next, for more than seven months it appears this hacker may have had access to very personal, highly sensitive information that includes not only social security numbers, credit card and bank account numbers, but may have also included information from health care providers.
“Finally, Quest is only one of AMCA’s medical clients, so it is possible that patient information from other healthcare providers may have also been breached. We have no idea how far and wide this breach has gone.”
Depending on when AMCA discovered the breach and the reasons for not providing notice to affected individuals, AMCA may be liable for failing to provide notice “without unreasonable delay” under Michigan’s Identity Theft Protection Act, with potential civil fines of $250 per violation up to a maximum of $750,000 for multiple violations that arise from the same breach. In addition, there may be violations under the federal Health Insurance Portability and Accountability Act (HIPAA), said Nessel.
Consumers who believe they may have been affected by this breach should immediately take the following steps to protect their information:
- Find out what information was compromised and act accordingly.
- Pull your free credit report at annualcreditreport.com or by calling 877-322-8228.
- Put a fraud alert on your credit file. The Federal Trade Commission provides a checklist for this.
- Consider a security freeze on your credit file.
- Take advantage of any free services being offered as a result of the breach.
- Use two-factor authentication on your online accounts whenever it’s available.
For more information on what to do during a data breach, review the Michigan Attorney General’s consumer alert on data breaches.