Two of the 42 data breaches that providers, health plans and their business associates reported to the OCR in July affected more than 10 million individuals each. Both of those incidents related to a massive data breach at billing collections vendor American Medical Collection Agency, which has sparked a set of investigations and inquiries since it was first publicly disclosed in June.
LabCorp and Quest Diagnostics in June said a data breach resulting from an unauthorized user accessing the vendor's web payment system between August 2018 and March 2019 had affected millions of their patients, but that AMCA had not yet provided them with information on which patients' data was exposed.
After further investigation, Optum360, a Quest revenue-cycle contractor that is part of UnitedHealth Group, on July 1 filed a formal report of the data breach with the OCR, reporting that the incident had affected 11.5 million people. That's the largest incident to be reported to the OCR this year and the second-largest to be reported since the OCR launched its breach portal in 2010.
LabCorp on July 13 reported that nearly 10.3 million of its patients had been affected in the data breach, marking the second-largest incident to be reported to the OCR this year and the fourth-largest to be reported since 2010.
Hacking and IT incidents, like the ones reported by Optum360 and LabCorp, accounted for almost 70% of the data breaches reported in July. The remaining data breaches resulted from theft, loss, improper disposal, or unauthorized access or disclosure of patient records.