BLOG POST: AMCA Breach Highlights Vulnerability of Debt Collection Sector
Blog Post by Cliff Baker, CEO at CORL Technologies with contributing writer Carol Kleywegt
How wide of a net must we cast for vendor security assessments? This question is made more important by the recent American Medical Collections Agency (AMCA) breaches affecting patients served by clinical lab testing providers LabCorp, Quest Diagnostics and BioReference Laboratories. AMCA was one of the largest Debt Collection companies in the U.S. and, in the course of the past year, has reported 25 million breached patient records by a hacker accessing their databases.
At CORL, we clearly see the impact that vendors down the service delivery channel have on vendor security. Our historical CORL database of vendor security risk assessments indicates that Debt Collection Vendors have not scored well in the past. Since 2016, CORL has warned clients that the sector poses a security concern. We are not surprised that a very large data breach has occurred with this category of vendor.
There is no doubt many healthcare organizations will have patients impacted by these breaches. A collective total of 25 million patient records were breached by the hacker accessing AMCA’s database of patient information.
A Closer Look at Debt Collection Vendors
In our CORL database of vendor security assessments, we have created a security assessment profile of numerous businesses falling into this type of category. Here is a closer look at what our data can tell us about the state of data security with vendors like AMCA.
Vendor Size (by number of employees) is an indicator of the internal resources available to pay attention to security and privacy concerns.
- 48% are very small vendors with 50 employees or less.
- 35% are small vendors with 51-500 employees.
- Collectively, 83% of Debt Collection and like vendors fall into a small business category; increasing the likelihood that there are not adequate resources to address security and privacy concerns.
More specific data shows that these vendors typically do not have formalized security features in place that would lower the risk of a data breach.
- 81% have no dedicated Security Personnel.
- 77% do not have Security Certifications in place. (This is not atypical of many non-healthcare business vendors, particularly if they are small-in-size.)
Both health insurance and providers are likely to have direct relationships with Debt Collection Vendors; thus, security assessments may have been performed already. For other organizations the relationship with these firms may sit further down the line in the supply chain. In any case, it is clear to us that PHI is often shared with Debt Collection Vendors as they process collections for health services rendered.
Takeaway: Audit Security of the Entire Delivery System
It is not important whether your organization has a direct relationship with a revenue management firm like AMCA as evidenced by the LabCorp, Quest Diagnostics and BioReference breaches. Healthcare delivery organizations sit at the top of the service delivery chain; thus, patients can be affected by many businesses that are not accustomed to healthcare information security protections and regulations.
The assessment, remediation and ongoing management of these vast vendor networks results in a massive amount of projects and work. We know. CORL Technologies has built an entire business around it. Our people are experts in the detailed security practices of a variety of business types commonly servicing healthcare delivery organizations. CORL is proud of our collection of known information security risk factors affecting healthcare organizations. We are continually building our knowledge base in this area.
Sharing our experience and knowledge of vendor security risk management for healthcare organizations is a priority for us. CORL’s teams are committed to working with healthcare organizations to better resolve vendor security risk. Let us know how CORL Technologies can help your organization. Contact us at firstname.lastname@example.org.