19
Jun 19

Collections Firm Behind LabCorp, Quest Breaches Files for Bankruptcy

A medical billing firm responsible for a recent eight-month data breach that exposed the personal information on nearly 20 million Americans has filed for bankruptcy, citing “enormous expenses” from notifying affected consumers and the loss of its four largest customers.

The filing, first reported by Bloomberg, comes from the Retrieval-Masters Creditors Bureau, the parent company of the American Medical Collection Agency (AMCA). Earlier this month, medical testing firm Quest Diagnostics said a breach at the AMCA between Aug. 1, 2018 and March 30, 2019 led to the theft of personal and medical information on 11.9 million patients.

On June 4, KrebsOnSecurity broke the news that another major AMCA client — LabCorp — was blaming the company for a breach affecting 7.7 million of its patients.

According to a bankruptcy filing, LabCorp and Quest Diagnostics both stopped sending the AMCA business after the breach disclosure, as did the AMCA’s two other biggest customers — Conduent Inc. and CareCentrix Inc.

Bloomberg reports the data breach created a “cascade of events,” which incurred “enormous expenses that were beyond the ability of the debtor to bear.”

“Those expenses included more than $3.8 million spent on mailing more than 7 million individual notices to people whose information had been potentially hacked,” wrote Jeremy Hill. Retrieval Masters CEO Russell H. Fuchs “personally lent the company $2.5 million to help pay for those mailings, he said in the declaration. In addition, IT professionals and consultants hired in connection with the breach had cost Retrieval-Masters about $400,000 by the time of the filing.”

Retrieval Masters said it learned of the breach after a significant number of credit cards people used to pay their outstanding medical bills via the company’s site ended up with fraud charges on them soon after. The company also reportedly slashed its staff from 113 to 25 at the end of 2018.

The bankruptcy filing may also be something of a preemptive strike: Retrieval-Masters is already facing at least three class-action lawsuits from plaintiffs in New York and California.

A copy of the bankruptcy filing is available here (PDF).

Tags: , , , , , , ,

62 comments

  1. What I find interesting too is that Optum 360, a revenue cycling subsidiary of United Healthcare, the insurer, was the company who had the partnership with AMCA and thus they had a hand in this too and so far they seem to be skating away from any recognition of that fact or admitting any responsibility. We all should know United Healthcare is one big huge data farm that happens to sell health insurance on the side just about.

    Optum 360 also does the billing for the Mayo Clinic and many other large hospital system, McClaren, Dignity Health and more in the US, and they are the ones that find “revenue opportunities” with medical bills and are the creators in part of the surprise bills that patients get that are over the top.

    So again, how does Optum 360 have access to all this patient data in order to bill and then use AMCA to help collect it and not have some kind of a role here? Optum 360 it sounds to me was indeed a level of contact and information exchange to tell the bankrupt collection company who to call, you think?

    So I guess as they always seem to do, UNH will skate on any responsibility here as well as they have a large army of data scientists that already know the answers they want and they create models to substantiate their data actions, and of course consumers lose, just like they are on this breach deal. Scary but I expect to see more stuff like this, just dumped on the consumer with exposing their data and they just don’t seem to care at corporate USA anymore.

    • Optum360 is a contracted provider of Revenue Cycle management services. AMCA is one of Optum360’s sub-contracted collection firms.

      AMCA is not a “partner” of Optum360.

      I’m not a fan of UHC or Optum, or of the consolidation of the US healthcare system in anticipation of being the last man standing when we have single-payer imposed upon us.

      In this case, I can’t see how Optum 360 is to blame any more than any other firm that hires a collection agency.

      • United Healthcare/Optum patent in it’s entirety Read about the processes they want to patent and probably already use to mine and scrape your social data to store on their servers to query w/other data about you to risk assess you even more. I’ve been reporting on their data farms for over 10 years and the close to 300 data subsidiaries they have acquired, all the actions take place in subs, and it’s how they stay under the radar…CMS and HHS use a ton of United Healthcare/Optum Models. Former insiders there have told me that for years so no I cannot excuse and will not be bliss and feel they didn’t have exposure in this..I used to write software and know how code works so don’t be bliss and in the meantime 20 million people are screwed to fight all of this on their own with no credit report protection, absolutely nothing and that’s how corporate America goes with the code and algo games, all about “their” profits.

        https://patentimages.storage.googleapis.com/24/d3/60/d42ec2a1fc3f0a/US20160284037A1.pdf

      • Paul Sachtleben

        While I agree that ultimately AMCA is responsible for the data breach the “data furnisher” is ultimately the guardian of such data and is responsible for any subcontractor they choose to send their data to. I don’t know all the particulars in this case but it is highly likely that AMCA did not have sufficient data security practices in place and that Optum360 did not perform enough due diligence in hiring them (if they were, in fact, responsible for hiring AMCA). Sadly, it may take an awful situation such as this to properly shine light on the necessities of comprehensive (and expensive) data security practices.

        • You are correct. As the main owner of that relationship, it was the responsibility of Optim360 to perform a thorough vendor risk assessment of ACMA security and data handling controls, and the sad reality is they probably just decided to work with them without fully understanding that risk because ACMA was the most “cost effective” solution. In the end, you get what you pay for, right? The only recourse they have at that point is to ensure the liability limits when Optum360 is sued directly as a collector passes directly through to ACMA, which it most likely will not. Outside that, it’s the cyber insurance policy and possibly an umbrella policy, but likely the limits and coverage amounts won’t be sufficient to handle a bankruptcy inducing event. Net-net here is if you’re in a position of managing vendor relationships, you MUST do your homework and vet your vendors closely. Any risk they have is YOUR risk. If you accept it, then you’re also going to be liable when the breach happens.

  2. KoSReader6000000

    Considering the HIPPA and other privacy laws broken and the grossly abusive debt collection tactics used, I am really not surprised by the actual but obscured medical debt-collection company Retrieval-Masters Creditors Bureau [RMCB] bankruptcy. Hopefully, the sick and poor individuals who were victimized by RMCB abusive tactics and then skinned again by credit card scammers will get some justice. We will have to wait and see.

    “…CEO Russell H. Fuchs “personally lent the company $2.5 million to help pay for those mailings, he said in the declaration.” Brian Krebs quotes from the bankruptcy filing.

    Oh, how sad it for Mr. Fuchs… or possibly ex-lawyer Fuchs. What a poor guy. I wonder what will become of his lush pay check, fancy auto and home? Will he loose them? Probably not.

    I understand the Chapter 11 bankruptcy filing is a “Re-organization” under federal laws. The company will continue to function but with a bankruptcy examiner looking over the books. In some ways it worse than chapter 7 bankruptcy and in some ways it is better. We might actually see how he lost all of those credit card and social security numbers.

    I will note the actual wording of Fuchs’ loan to the company from the bankruptcy filing:

    “…the Debtor[RMCB] obtained a secured loan from my personal funds in the amount of $2.5 million, which together with existing cash-on-hand was sufficient to fund mailing of the notices.” Page 7 of the Ch 11 bankruptcy filing.

    See Brian’s link below.
    https://krebsonsecurity.com/wp-content/uploads/2019/06/RMCB-bank.pdf

    The $2.5 million loan is secured and all or a portion of it will be returned to Fuchs. I assume he will also be paid a good salary. I don’t see that as much of a help to Fuchs’ lenders and scammed credit card holders.

    I also perceive that said first person verbiage in the Ch 11 reorganization filing indicates Fuchs wrote the actual bankruptcy petition himself. How nice.

    I hope that this will serve to help mitigate damage to the injured, sick, and scammed credit card people Fuchs’ medical debt-collection company inflicted. It may possibly indicate to Congress that better legislation is necessary for so called medical debt-collection companies to keep this ugly situation from reoccurring. I am a little hopeful but not really assured.

  3. As always, great reporting Brian.

    While it might appear that this firm is being held responsible; with the principal — Mr. Fuchs — having to “reach into his own pocket” to pay costs (boo hoo) …

    … I suspect that this bankruptcy is only a calculated “dodge” to avoid further liability and that the same organization will simply be “re-incorporated” and resume operations under a different name.

    • +1, exactly

    • Boo-Hoo! Is right! I cry great big crocodile tears for them. As far as I’m concerned, if enough of these dodgers go out of business, maybe corporations will finally take security seriously! Despite letters saying they do – I don’t believe a word of it!!! X-(

  4. The Sunshine State

    Good article

  5. Curious about the timeline:All accounts have the breach occurring between August 2018 and March 2019. The bankruptcy filing states Retrieval Masters were not aware of the breach until March, 2019. If so then why the staff reduction at the end of 2018?

    • Anytime there’s large staff turnover – especially in IT Staff – and especially when the turnover = >80% of the staff… there’s always gaps that are left in the system.

      A server that goes unpatched because its original maintainer has left and their replacement is now in charge of all 100 servers and they are too afraid to touch this one particular server because they dont understand it, so it goes unpatched…..

      …and then s**t like Equifax and this happen…..

      …And everyone in charge is always surprised when it does.

      • Quite an eye opening and insightful comment.

      • I too am confused about the timeline. I understand the ramifications of high staff loss (in this case, a layoff, not turnover). SO why the significant layoffs in 2018 before any notice or even occurrence of a breach (according to filings, breach started in March 2019, but hard to believe that date)?
        Was something known inside the company or their customers before all the announcements to cause these significant layoffs last year?

      • In the document, it says:

        “…the Debtor also had no choice [but] to substantially reduce its workforce, from 113 employees at year-end 2019, to just 25 as of the Petition Date.”

        The document header indicates it was filed on 6/17/2019. This sounds to me that their end of year employment was at 113 employees, and as of mid June they’d let go all but 25. Given that the breach happened in August of 2018, the reduction in staff seems more likely to be a result of financial strain. It seems unlikely the reduction in staff had a causal effect on the security issues.

  6. If the problem isn’t 100% obvious: “slashed its staff from 113 to 25 at the end of 2018.”
    The staff remaining would have no respect for the company and be looking for a way out, not bothering or having time to be cautious about security.
    Likely most of IT was the first to be let go, to save money. I’ll be surprised if some CEO(s) doesn’t end up in jail for neglect of some sorts.

    • CaptainMidnight

      What’s funny is the amount they spent on notifying affected people is probably near or more than the amount they “saved” by reducing staff at the end of 2018.

      Always nearly the same script for these stories: Company lets tech issues stagnate and grow due to perceived excess cost to take care of issue(s). Breach happens and the total cost to the company is more than what it would’ve taken to fix the issue(s) in the first place. When will they learn?

      • When will they learn? When will they learn… THAT THEIR ACTIONS HAVE CONSEQUENCES?! Their fantasies can never be quenched!!!

  7. Martina Tesar

    The footnote about MasterCard and Visa was interesting.

    The filing states that they hired consultants to help migrate to a distributed environment. Gratuitous statement, it doesn’t matter who you hired to do the job, the accountability is still with them.

  8. “exposed the personal information on nearly 20 million Americans”

    “Those expenses included more than $3.8 million spent on mailing more than 7 million individual notices to people whose information had been potentially hacked,”

    Numbers never seem to add up, do they.

    • I think in that snippet they were referring to the cost of notifying just the affected LabCorp customers, which numbered 7.7 million.

      • Mt two sense about this is, most people try to sue the corporations which is just a name. The people, the ones ultimately responsible for running the organization should be ones being sued. If your ultimately (Ir)responsible for something, it needs to follow you. A person will take that M.O. to another organization and practice their poor management skills on some other place. There’s no accountability until it reaches the perfuse levels at ENRON. People need to be held accountable and then watch the security sharpen up real quick. Its very hard to track the people through the world as they move from position to position and without proper documentation, the slate it wiped clean on the next seat they take. =\

  9. Thank k you for the heads up on this filing. It should be an interesting case to watch unfold.

    The filing link that you provide is not the bankruptcy petition. Here is a link to petition:

    https://www.bankruptcyobserver.com/document/RETRIEVAL-MASTERS-CREDITORS-BUREAU/1

  10. When will companies realize that no matter what controls they have in place, your supply chain will kill you if they don’t follow the same policies and controls as their clients “should have”.

    Today, Canada and USA are preparing for Supply Chain Security Certifications.

    We hope this will help if it is adopted, and enforced.

    Defence industries in Canada and USA are in the process of requiring Cyber Security Certs.

    Let’s hope insurance gets on the band wagon and only offer Cyber Insurance if a company is Certified that they handle data securely.

  11. I hope that company goes belly up. I had my negative experience with them when out of the blue, 7 years after a surgery I got a threatening letter from them telling me what they were going to do to me if I did not pay a $164 bill I did not even know I owed the doctor. I immediately sent a check to the doctor along with angry letter and never bothered to respond to AMCA. Over the months thereafter they sent several more ever increasing in threat level letters that I completely ignored.

    Like I said, I hope they are forced to go belly up.

    • You do understand that the assets of AMCA, including their client and customer databases, will be available for sale to the highest bidder as a result of their bankruptcy.

  12. Wow, a company finally faces consequences for a leak. Guess they didn’t have insurance.

  13. Let me get this straight: they’re a collection agency for all those companies, and they didn’t have the money to mail out 20M letters first class mail, let’s see, that $10M, add another $200k or so to print them out.

    Really? Their margins were that thin?

    I’m just glad that I pay most bills WITH A CHECK, not a credit card, including Quest and LabTech.

    Yes, I did get one of the letters, so thanks, Brian, for giving me background.

    • Checks also have their shortfalls. One could argue that a card compromise impacts you less than having your bank account number compromised, especially if they also have all of your personal data like name, address, SSN, phone number, etc. You could be targeted for an account takeover at your financial institution if your PII and account information is compromised.

      Banks can reissue your debit card and link it to your existing checking account, but if your account number is compromised, usually you have to close it and open a new one. Then you’re stuck setting up direct deposit and any automatic payments you have drafted from your account. That kind of disruption can take weeks to fix. Card compromises are annoying but usually are resolved within a few days of a report.

      Also: I’d be very surprised if these large companies didn’t digitize the information from your checks and tie it back to your patient files. Makes collection efforts much easier if you have the person’s routing and account number.

  14. Couldn’t have happened to a nicer bunch of folks!

  15. ChrisSuperPogi

    The simple take-away is: the compromise for the failure to address the risk is catastrophic – Bankruptcy, in this case…. and nobody (but the criminal) wins!

    Thanks Brian for the report. We should educate the public (anew).

  16. BiometricallyInsecure

    I can’t help wondering what their real liability here is. My daughter (a minor under 17) received one of these ‘Gosh we’re sincerely sorry we lost data about you, toodles!’ snail messages from AMCA.

    Which made me wonder what on Earth was Quest doing sharing medical information about minors regarding procedures and events in which there was no debt issued (we’re all very insured over there, thank you for asking).

    Is there a statute somewhere that allows Quest and AMCA to get their butt sued off for insecurely snarfing medical information about minors?

    • InfoSec Professional

      HIPAA comes to mind if your daughter resides in the US and also many states have laws that require companies that do business in their state to secure their customer’s data. You can file a formal complaint for HIPAA violations with the Office of Civil Rights at the Federal Department of Health and Human Services (HHS). Here’s a link to their online Health Information Privacy complaint form to get you started: https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf;jsessionid=C79D95B5A44C9EFA20DD0880AC538EA3. You might also want to file a Security Rule Violation complaint as well using the same link.

      • We received a notification as well. It stated they were a collection agency, but the notification was not to collect a debt. They offered 24 months of identity protections. Likely, why they filed bankruptcy.

        But my concern is this: nothing was late or owed, yet the original holder of the medical records gave access to a third party, that under HIPAA, should never have had it. As we didn’t have outstanding bills or anything in arrears, they should not have had access to social security numbers, addresses, and LAB RESULTS. Yes, our letter stated they accessed lab results.

        I’d like to sue the pants off of them.

  17. seems like no one here wants to blame the criminals. I disagree that a security failure means you can blame the victim. doesn’t work that way for home burglary or assault.

    • It’s not exactly the same thing. If someone burgles your house, you have only your stuff to lose. If you own and company and someone burgles it, you have way more to lose and should be accountable for how you protected it (or not).

      There are a lot of people in infosec who say breaches end up blaming the victim. I don’t agree in this case, because the company clearly didn’t have the resources to protect the sensitive data to which it was entrusted.

      We can argue about whether the companies that entrusted this third party with the data should also be held to account for perhaps not vetting the AMCA on their cybersecurity practices, and I think that’s fair to a degree. But there has to be some kind of accountability beyond the current status quo, IMHO.

      • Those companies entrusted this third party with their customer’s sensitive data. The end-customers are not clients of AMCA. It’s the responsibility of those companies to check to whom they outsource work to.
        And why AMCA had access to such sensitive data for the work they had to do?

        • Re: your question, the information to handle billing and collections was what they handled and had stolen. They weren’t handling medical records and no medical records were stolen.

          • I don’t know how you could do medical collections work without having CPT & ICD10 codes and dates of service. You might not have chart notes, but you’d have enough to put together a pretty good medical record.

            • Billing and medical records are subsets of a patient’s chart. They each contain similar, but distinct information for separate purposes. A provider’s notes, lab results, and lists of procedures are part of the medical record. Procedure and diagnostic codes, service dates, charges, and payments are part of the billing record.

              There is some overlap, sure, but it’s deliberately kept separate so that the most sensitive data is limited to providers.

              Most billing data is generated automatically by EMR software that responds to whatever is checked off by the provider in the course of writing their notes. For less automated offices, the provider just attaches a billing charge sheet to the client file, checking off the items to bill, along with diagnostic codes, so it can be typed up and sent for payment.

              And if it ends up in collections, the billing data should be stripped of diagnostic codes. There’s no reason why a bill collector needs that or any part of the medical records. All they need is part of the billing records.

              So when you say a bill collector may have procedure codes and dates of service, sure, they do. But that’s a billing record, not a medical record. (See above).

              I hope that clarifies it for you.

              • I didn’t need “clarification” – I’ve installed medical systems in many offices and institutions, and I’ve run a medical billing service.

                You need diagnosis codes to do medical collections as you’re often pursuing claims with carriers who refuse to pay in accordance with their contractual obligations. You won’t get far without full coding, and once you have that, you can assemble a pretty decent facsimile of a medical record.

                The “deliberate separation” of medical and billing data you mention is a figment of your imagination. It simply does not exist in any of the market-dominating medical systems. It cannot, as the financial side of medicine is interwoven with day-to-day operations in an inseparable fashion.

          • Billing records are medical records because they detail medical procedures that were performed.

      • Agreed Brian. If you leave your house door open to the street with full view of your expensive TV, Stereo and golf clubs and someone walks in and steals them; you are victim but a very stupid one. And to take the analogy further, if several friends had left their golf clubs at your house and they were stolen they would be rightfully scornful of you, victim or not. Until recently, most companies suffered little last damage from a breach but their customers had to live with years of ID theft hassle. So victims yes. Responsible for not properly securing their customers information? guilty.

  18. Just Passin’ Thru

    Thanks for your, as ever, excellent reporting Brian.

    @wiseacre: The victim in this case loses any credible claim to victim-hood if he did not detect the intrusion nor exfiltration for 8 months. It’s no secret anymore that the law requires notification of breaches, so the risks of that occurrence should have been factored into his business model, including risk avoidance and mitigation.

  19. It seems that medical debt collections alone is a hipaa violation.

    • Unfortunately, that’s not the case.

      HIPAA allows your information to be shared to business contacts as needed. HIPAA’s biggest limitations are imposed upon those who might actually need the information the most (parents, etc.).

      • True, but only by consent. And you don’t have to consent.

        People should really get used to reading privacy policies at their doctor’s office and putting in writing any objections.

        Objections to insurance company dictates can also be voiced, especially if they live in an area where insurance companies cannot deny coverage for exercising one’s rights.

        If enough people say “NO, you may not outsource my healthcare,” it can be revolutionary.

        The problem is that people are scared to say no or pay out of pocket or fight with doctors or insurance.

  20. Anyone ever check out their sister brand’s/company’s website?

    https://www.retrievalmasters.com/

    Notice the (untrusted) HTTPS cert… issued to the wrong domain, expired a year ago and not yet replaced.

    They obviously ……”take security very seriously”……as everyone who’s ever been breached will state for the cameras.

    • Wow, a self-signed root cert. /facepalm

      • Just curious, how could you tell it was a self-signed root cert?

        • >Just curious, how could you tell it was a self-signed root cert?

          By definition, all root certificates are self-signed.

          Properly implemented they are used to sign intermediate certificates, then the root certificate is locked away in a manner requiring multiple individuals to unlock it — until such time it is needed to be pulled out of off-line storage to sign a new intermediate or certain other rate activities.

          • (For clarification it’s the root private key that is locked away in offline storage; the root public key which is commonly referred to as the root cert is always accessible as that is what is used to validate the Certificate Authority chain of trust.)

        • In general, I’d encourage people to use SSL Labs’s ssl test [1]

          Here’s a subset of what it has to say:
          > Valid until Thu, 31 May 2018 19:04:36 UTC (expired 1 year ago) EXPIRED

          > No NOT TRUSTED (Why?)

          > Path #1: Not trusted (path does not chain to a trusted anchor)
          > 1 Sent by server
          > Not in trust store
          > retrievalmasters.retrievalmasterscreditorsbureau.com Self-signed
          > Fingerprint SHA256: 390bdc497df5b89b00c0031d17e7656a14562b1dc61ac0e342389cbe6b129871
          > Pin SHA256: EMWGaqIASoFDtimtIBJ6oYrRsNGk1RnTzi3j9cPdk4w=
          > RSA 2048 bits (e 65537) / SHA256withRSA
          > Valid until: Thu, 31 May 2018 19:04:36 UTC
          > EXPIRED

          > Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI
          > Alternative names *.prod.iad2.secureserver.net prod.iad2.secureserver.net MISMATCH
          > No NOT TRUSTED (Why?)

          [1] https://www.ssllabs.com/ssltest/analyze.html?d=www.retrievalmasters.com&latest

        • @RT: Chrome showed that when clicking on the “Not Secure” text next to the URL, and then clicking “Certificate.”
          Further clicking on “Details” shows that they issued the cert themselves: “Issuer Name: retrievalmasters.retrievalmasterscreditorsbureau.com”

    • Meh…I’m guessing they’re just parking a domain and were a bit sloppy on a site not used for security-critical use.

      This link:

      https://censys.io/certificates?q=retrievalmasters.com

      Provides a much better view of their history of certificate usage.

      Hey folks…look we don’t do DNS Zone Transfers so you can’t guess hostnames! Look folks, we request individual certificates instead of wildcards so when you scan an IP you get (at least the SNI default) certificate including a specific hostname to try an attack! (Wonder if any security manager out there is already typing up a new policy to have SNI respond with a generic certificate when no hostname matches the webserver / load balancer configuration 😀 )

      • SNI to hide certificates is an expired security through obscurity tactic (I use it, so, I’m not saying one shouldn’t use it, just that it doesn’t provide security).

        The reason is that modern browsers (i.e. the only ones anyone can consider using if they care about security at all) require Certificate Transparency [1] see the Chrome announcement [2] to the CAB Forum [3] (CA/Browser Forum).

        Roughly, CT requires that CAs publish the public portion of certificates they issue in tamper evident records which are essentially blockchains (one of very few good uses of that technology).

        [1] https://www.certificate-transparency.org/
        [2] https://cabforum.org/pipermail/public/2016-October/008638.html
        [3] https://cabforum.org/

        • >SNI to hide certificates is an expired security through obscurity tactic

          It’s not for purposes of obscuring the certificate. I don’t care who has the public keys or knows about them.

          It’s to thwart IP address scans from successfully reaching a web server.

          Load Balancer: Drop all connections without a hostname valid for this IP.
          Also Load Balancer just before dropping connection: Here is a certificate with a hostname valid for this IP.

          :/

          It isn’t security through obscurity, it is reducing the exposed surface and making an attacker have to work harder.

  21. Already disliked Quest before all this. Our company used them for annual screenings previously. You set your password 1x and can never change it on the site they set up for us. That’s an automatic red flag, just like my energy company that stores credit card info but has a 10 character upper-limit on password size… Needless to say, I mail them a check.

  22. Karma.

  23. I read your article. Interesting, to say the least. However, you have very little knowledge in regards to the SLA (Service Level Agreement). Now, why is that critical since it establishes the way the PII, PHI, PCI-DSS is transmitted to AMCA 3rd party vendor?
    Of course, let’s blame AMCA! The easy way out for Quest / LabCorp and others. I laugh at your analysis.
    Since I was the Analysts Expert that deep dived into the Anthem breach of 85 million clients PHI data that was Network breach!
    I’ll educate you if the SLA {Service Level Agreement} stipulate the data sent to AMCA was in clear text, transferred over FTP {unsecured protocol, the data AMCA received from the Prime Vendor in this case Quest / LabCorp violated HIPPA requirements. Under the law, collections agencies, are not required to adhere to HIPPA laws! Look it up and educate yourself.
    AMCA does have to comply with PII or PCI-DSS. information sent to AMCA unencrypted {clear text} and the SLA did not require AMCA require the HIPPA to encrypt the data received from Quest / LabCorp in clear text over FTP AMCA will have a massive lawsuit against their Client.

  24. What a joke, these guys deserve some serious jail time. They harass people for years over medical costs that were largely unavoidable, have terrible opsec (on purpose to be cheap) and then walk away with no penalty when they screw 20 million people. Personal bankruptcy destroys lives for a decade, why should corporations be able to incur vastly higher debt and destroy vastly more of our economy while the architects of this destruction just walk away whistling to their mansions?