The AMCA case: Hacking and data breaches in healthcare

In August 2018, hackers gained access to AMCA’s systems, that remained undetected for almost a year (Whittaker, 2019). The breach resulted in over 25 million patient records to be compromised (Davis, 2019). AMCA, the American Medical Collection Agency, is a company providing billing and collection services for many large organisations in the healthcare sector. Among its clients are medical laboratory testing businesses, healthcare providers and clinical laboratories (Quest, n.d.). As a result of the data breach, AMCA has lost many clients and it is currently facing lawsuits and state investigations. AMCA has filed for bankruptcy protection (Whittaker, 2019).

The hackers gained access to a system containing various types of data. Some of their clients provided financial information, Social Security Numbers and medical information (Quest, n.d.), while others also provided names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information (Davis, 2019; Whittaker, 2019).

The value of this personal information to cybercriminals is that they can use credit card information to steal money from the affected patients, or they can fraudulently obtain money from financial or social service providers (Davis, 2019;, 2019). Additionally, cybercriminals can run personalised phishing campaigns, or sell the information and to use it to the detriment of the affected consumers. If, for example, they learn from the stolen data that you are a customer of a clinical laboratory, the dates of your visits and the remaining unpaid balance, they can run a whole range of online scams and extortion.

The problem of data breaches also affects the medical research sector. University research projects have recently  become main hacking targets, with over 1,000 cyber attacks last year (Amorosi, 2019).

Organisations that handle sensitive data need to ensure the security of their clients. For this, experts advise creating a joint security framework that includes technology, processes, training, and staff (Davis, 2019). The problem that many healthcare organisations and research institutions face however is a shortage of security personnel and little to no budget allocated to cybersecurity. Additionally, it is not uncommon for medical researchers to use unofficial and unapproved software to communicate with colleagues and to store and process data. This often goes against organisational policies and poses a huge risk for IT security systems (Amorosi, 2019).


