Diagnostics Lab Reports 10.3 Million Patients Affected by Collection Agency’s Hack
In a significant development within the healthcare sector, Labcorp, a leading medical laboratory testing firm, has agreed to a hefty settlement of $35 million in a class-action lawsuit associated with a major data breach that occurred in 2018. The breach, which involved the American Medical Collection Agency (AMCA), compromised the personal information of nearly 10.3 million patients. The incident highlights the serious implications of third-party vendor relationships and underscores the escalating challenges in data security within the healthcare industry.
The hacking incident at AMCA, a collection agency that filed for bankruptcy shortly after the breach was discovered, has proven to be a landmark case in terms of the scale of its impact. It affected not only Labcorp but also other prominent healthcare firms such as Quest Diagnostics and BioReference Laboratories. The breach reportedly exposed an extensive array of sensitive data, including Social Security numbers, credit card information, and medical test results, drawing significant scrutiny from regulators and legal entities alike.
Under the terms of the proposed settlement, all individuals whose personal information was transmitted by Labcorp to Retrieval-Masters Credit Bureau, operating under the AMCA name, are eligible to participate. The hack took place between August 2018 and March 2019, which means that anyone whose data was part of this incident stands to benefit from the ongoing litigation resolution.
Settlement class members are presented with two avenues to file claims. They can either document out-of-pocket losses or expenses up to $5,000 that can be reasonably traced to the AMCA breach, or alternatively, they can opt for a pro-rata cash payment of approximately $50. Notably, those affected can also apply to receive two years of medical and healthcare information monitoring services, aimed at mitigating the potential long-term consequences of identity theft and data misuse.
Labcorp, which reported a revenue of $14 billion in 2025 and operates more than 2,200 patient testing locations across the United States, has been proactive in addressing the ramifications of the breach. The company, which performed over 750 million tests for patients worldwide in the previous year, employs around 71,000 individuals and provides a broad spectrum of support services for new drug development. In its financial filings to the U.S. Securities and Exchange Commission, Labcorp disclosed its involvement in ongoing litigation and various regulatory inquiries related to the AMCA incident.
Interestingly, the company has denied all allegations of negligence or any claims of wrongdoing associated with the breach. The preliminary settlement speaks to Labcorp’s desire to resolve these disputes without admitting liability or compromising its operational integrity. A prominent statement on the settlement website underscores this standpoint, explaining that the resolution does not equate to an admission of wrongdoing, thereby maintaining Labcorp’s legal positioning.
A fairness hearing regarding the settlement is scheduled for August 20 in a federal court in New Jersey, where the court will meticulously evaluate whether the proposed settlement terms are equitable for all parties involved. As the legal proceedings unfold, the broader implications of the AMCA hack continue to reverberate throughout the industry. It serves as a crucial reminder of the critical importance of data security, especially for organizations that rely on third-party vendors for essential services.
The AMCA breach serves as a harrowing reminder of the risks associated with third-party data handling. The present situation places a spotlight on the vulnerabilities inherent in vendor relationships, especially in healthcare where sensitive patient information is at stake. Reports indicate that AMCA first became aware of potential security issues when it received multiple "Common Point of Purchase" notices in 2019, highlighting an alarming correlation between its web portal and fraudulent credit card activities.
Despite efforts to mitigate the crisis, including shutting down its web portal and engaging external cybersecurity consultants, AMCA ultimately confirmed that its servers had been breached as early as August 2018. The consequences were severe, culminating in the company’s bankruptcy filing shortly after the breach was revealed.
In summary, the repercussions of the AMCA hack have extended beyond Labcorp and affected millions nationwide, prompting heightened scrutiny from state attorneys general and regulators. In 2021, a coalition of 41 state attorneys general reached a $21 million settlement with AMCA, which imposed significant requirements for data security practices and oversight. However, the effectiveness of these measures remains uncertain, particularly given AMCA’s bankruptcy status, which has resulted in the suspension of fines owed to the states.
Labcorp’s settlement is a stark reminder of the pressing need for robust cybersecurity measures, especially as healthcare organizations increasingly depend on third-party vendors. As the industry grapples with these challenges, the Labcorp- AMCA incident serves as a pivotal case study in understanding the complexities and risks of modern healthcare data management.