June 5, 2019
LANSING -- Michigan Attorney General Dana Nessel announced today she will issue letters to three companies demanding information about a data breach affecting 12 million people around the country. The number of Michigan residents who may be affected is not known at this time.
The breach involved at least three companies – American Medical Collection Agency (AMCA), Quest Diagnostics and Optum360. New York-based AMCA provides medical debt collection services to Quest Diagnostics and other health providers and health plans that have not yet been named. Optum360 contracted with AMCA to provide services to Quest. The breach affected 12 million of Quest’s patients, whose personal information was maintained by AMCA. It does not appear that AMCA has provided any public notice of this breach.
According to information reported publicly by Quest on June 3, Quest was notified of the breach by AMCA on May 14 and provided with the number of impacted patients on May 31. Quest reports it has not yet received detailed or complete information from AMCA, including the names and addresses of affected patients.
“This data breach is yet another example of how fragile our information infrastructure is, and how vulnerable all of us are to cyber hacking,” said Attorney General Dana Nessel. “And here in Michigan, we continue to rely on media reports that alert us to these terrible situations because – unlike most other states – we have no law on the books that requires that our office be notified when a breach occurs. I am determined to get information quickly and accurately to take steps to protect our residents.”
Nessel’s office determined that Quest reported to the US Securities and Exchange Commission that, between August 1, 2018 and March 30, 2019, an unauthorized user had access to AMCA’s system, which included financial information (credit card numbers, bank account information) medical information and other personal information (including social security numbers).
“This breach is particularly troubling for several reasons,” said Nessel. “First, it appears this is a deliberate hack that increases the likelihood that accessed information may be used to commit fraud.
“Next, for more than seven months it appears this hacker may have had access to very personal, highly sensitive information that includes not only social security numbers, credit card and bank account numbers, but may have also included information from health care providers.
“Finally, Quest is only one of AMCA’s medical clients, so it is possible that patient information from other healthcare providers may have also been breached. We have no idea how far and wide this breach has gone.”
Consumers who believe they may have been affected by this breach should immediately take the following steps to protect their information:
For more information on what to do during a data breach, review the Michigan Attorney General’s consumer alert on data breaches.