If you’ve heard of the medical bill collector American Medical Collections Agency (AMCA), it’s probably not because you saw an ad on TV. Most likely you heard about its supernova-level mismanagement of cybersecurity, or you read that, as a consequence, the company filed for Chapter 11 bankruptcy protection,
The AMCA breach affected as many as 20 million consumers. The situation at this third- and sometimes fourth-party debt collection agency was ongoing. It affected at least five different labs: Quest Diagnostics, LabCorp, BioReference Laboratories, Carecentrix, and Sunrise Laboratories. The companies used AMCA as their customer bill payment portal.
During the eight months the vulnerability was unaddressed by AMCA, hackers had access to the company’s online payment page, and with that a cornucopia of sensitive personally identifiable information that included financial data, Social Security numbers, and, in one case, medical information.
Lamentable, Avoidable, Illegal and Expensive
This epic cybersecurity fail was avoidable. The AMCA breach was not only a failure to protect the millions of consumers whose data was exposed. It may be the result of AMCA’s failure to comply with HIPAA legislation.
We need to get a little granular here. As a third-party vendor to a HIPAA covered entity, AMCA would almost certainly be subject to the requirements of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. According to the U.S. Department of Health and Human Services representative I contacted by email, a medical bill collector is a business associate if it receives, creates, maintains, or transmits protected health information on behalf of the covered entity for a covered function, such as seeking to obtain payment for a medical bill. Among many requirements, such business associates are directly liable for “failure to provide breach notification to a covered entity or another business associate” and “failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.”
It is unclear whether AMCA failed to take reasonable steps to address and report the breach. The AMCA spokesperson declined to comment on this story, instead sending a link to the company’s website. That said, breaches come in all shapes and sizes. Some are more avoidable than others. And breach response varies even more, with ever more divergent degrees of competency.
There are many enterprise-level solutions out there to minimize the risk of such catastrophic cybersecurity events, but they aren’t available to a company that doesn’t know what it doesn’t know. In this regard, knowledge of cyber risks and cyber defense are fungible assets.
The bottom line tells the tale best. AMCA needed to file for bankruptcy protection. While I am not in a position to say exactly why this was the case, last year’s average per record cost, according to IBM’s “2018 Cost of Data Breach Study” was $157, with the average total cost to a company coming in at $4.24 million.
In other words, getting cyber wrong can represent an extinction-level event for many organizations.
The Anatomy of Liability
The AMCA breach was discovered by Gemini Advisory analysts at the end of February 2019. A database described “USA/DOB/SSN” had been posted for purchase on the dark web. On March 1, Gemini Advisory attempted to notify AMCA, and received no response. Multiple phone messages were left regarding the breach. Still, there was no response. Gemini Advisory then notified law enforcement. AMCA did not disable their payment portal until April 8.
The AMCA breach is not an isolated incident for third-party vendors in the healthcare industry. According to a recent report cited by a letter from Sen. Mark Warner (D-Va.) to Quest Diagnostics, 20 percent of data breaches in the healthcare sector in 2018 were traced to third-party vendors. Additionally, about 56 percent of provider organizations have experienced a third-party breach.
It would follow here that the vetting process a company implements in selecting third party vendors would be fully evolved by now with industry standard approaches to cybersecurity and a host of other concerns and considerations. Sadly, many companies do not have specific policies regarding the cybersecurity requirements of subcontracted entities, much less an established path to approval that assures best cyber practices are understood and practiced throughout an organization’s data ecosystem.
When it comes to debt collection, there seems to be a more pervasive lack of standards. The debt collection industry’s lobbying organization–the Association of Credit and Collection Professionals, or ACA International–offers no services or outreach that resemble an information sharing and analysis center, or ISAC. According to the ACA representative I contacted, the ACA is not in the practice of collecting, analyzing or sharing cyber threat information. They mostly seem to lobby for an impediment-free legislative environment.
Meanwhile, the ISAC-free environment matters because hackers thrive in a low-information environment. The same or similar attack is much easier to perpetrate on multiple debt collection agencies if they have no idea there’s a threat out there. Knowing what to look for, and/or being prepared for the attack du jour is among the most powerful cyber tools. While ACA International does provide compliance guidelines as well as two opt-in data security and privacy programs in their ongoing educational seminars, it’s all passive. No one has to do anything. Cybersecurity is not a spectator sport. It is an ongoing activity that must evolve as urgently and persistently as the threats it addresses.
Vetting, Adulting: Take Your Pick
It’s time to grow up. With the lack of specific federal regulations on the cybersecurity practices of third-party vendors, the companies that subcontract with them have to self-police and develop effective vetting processes. When asked if they vetted third-party vendors–or the companies they in turn subcontract–Quest Diagnostics declined to provide me with an answer. The LabCorp response to my questions on this score were similarly unilluminating.
It should go without saying that data breaches and compromises caused by third-party subcontractors and business associates are not unique to the healthcare sector. U.S. Customs and Border Protection officials issued a statement on Monday that photos of traveler’s faces and license plates had been compromised due to a “malicious cyberattack.” The data breach originated from a subcontractor network.
The prevalence of data breaches that originate from third-parties has long been an open secret, and lawmakers are increasingly demanding answers. Sens. Robert Menendez (D-N.J.), Cory Booker (D-N.J) and Mark R. Warner (D-Va.) sent letters asking the testing labs what they did to vet the security measures of AMCA, and inquiring how the breach went unnoticed for so long. They also asked what cybersecurity measures they had at the time, and if all affected parties had been reported. Fair questions all.
If you need a more institutional take, Moody’s Investor Service designated the AMCA breach a credit negative for both Quest Diagnostics and LabCorp, and predicted the breach could result in “new regulations and requirements” regarding how U.S. companies evaluate their vendors before selecting them. We can hope.
The AMCA breach is merely the latest manifestation of the perils of hiring a third-party subcontractor insufficiently cyber-safe for this or that assignment. The lab testing companies may have had cybersecurity best practices in place, but they were only as secure as their least-protected third-party vendor. The frequency of data breaches is drastically rising, and companies that fail to operate within a cybersecurity framework when hiring third-party business associates may well find themselves on the bankruptcy-side of a catastrophic breach.
To manifest the wisdom of Yogi Berra, the only solution here is to have a solution. If you don’t have one, it’s time to find one, or practice your vetting skills on hiring a third party to help you get your cyber game where it needs to be to survive the third certainty in life: Breach happens. Survival is a skill.