Business Associate of a Covered Entity Exposed 12 Million Patient Records

June 26, 2019

In 2019, there have been 173 confirmed data breaches reported on the U.S. Department of Health and Human Services Office for Civil Rights (OCR) breach portal. This time last year there were only 68 listed. So far, this has not been a good year for patient-related security incidents and after the large-scale breach at the American Medical Collection Agency (AMCA), the numbers only get worse. Once this security breach gets included on the OCR breach portal, it will be adding another 11.9 million exposed records. This breach is said to have directly involved a third party and the details exposed included: financial data, Social Security numbers, portions of medical information, and lab test results.

AMCA is the business associate of the covered entity Quest Diagnostics. Like most data breaches, it all started with the notification of an “unauthorized user” accessing information that they should not have been able to access. AMCA is further investigating the issue to determine the entry point that allowed the user to gain access as well as the exact details of what was exposed. Most breach numbers are rounded up to the highest potential possibility of exposure until proven otherwise, which, in most cases, can be extremely difficult to assess.

A breach of roughly 12 million seems quite substantial, especially because the largest breach in 2019, prior to the AMCA breach, included "only" 1.6 million unique records.


Offsetting services to a third party may seem financially appropriate and, in some cases, is your only choice, but it comes with risk. Sharing data, especially data involving patient information, should be approached with extreme caution. Allowing a business associate to access, view, or maintain patient information on behalf of a covered entity requires a contract to be in place called a business associate agreement (HHS Guidance on Business Associates). This document should outline the expectations and requirements when exposing patient information outside of your practice. This alone will never fully protect patient information, but it is a start. Many times, this is where most covered entities stop – a business associate agreement will be signed, and no further discussion occurs. This, of course, is not enough. Additional steps should be taken to ensure that those with which you are sharing patient information are complying with your security protocols and meeting privacy expectations. An easy approach to evaluating your business partners is to simply have a conversation with them. Start off by creating a questionnaire that gauges how important security is to them and note what controls and documented procedures are in place or lacking. Record their responses to ensure that your business associates meet your expectations of securing and protecting your patients’ information. This will allow you to not only have a better understanding of your potential business partners' current security and privacy safeguards, but it will also allow you to have documentation to demonstrate that you have taken steps to evaluate potential access to patient information prior to sharing it. Taking these steps should greatly increase your chances of preventing a breach within your organization.