CBLPath, Inc. (“CBLPath”) has been informed by Retrieval Masters Creditors Bureau d/b/a American Medical Collection Agency (“AMCA”) of a data security incident involving the AMCA payment website. AMCA is an independent collection agency that CBLPath and many other entities used for debt collection. The incident is limited to AMCA’s systems. The security of CBLPath’s systems was not affected by this incident.
According to AMCA, on March 21, 2019, AMCA became aware of facts indicating there had been a data security incident. After conducting an investigation, in May of 2019, AMCA notified CBLPath about the incident and informed CBLPath that an AMCA database containing information for some CBLPath patients had been affected. However, at the time of AMCA’s initial notification, AMCA did not provide CBLPath with enough information for CBLPath to identify potentially affected patients or confirm the nature of patient information potentially involved in the incident, and CBLPath’s investigation is on-going. Based on the information provided by AMCA, the following information belonging to CBLPath patients may have been affected by the incident: patient names, addresses, phone numbers, dates of birth, dates of service, balance information, credit card or banking information and treatment provider information. AMCA has advised CBLPath that its patient’s social security numbers were not involved in the incident. CBLPath does not provide AMCA healthcare records such as laboratory results and clinical history.
In response to the breach, AMCA sent notification letters to approximately 3,800 CBLPath patients informing them that their names, addresses, phone numbers, dates of birth, dates of service, balance information, credit card or banking information and treatment provider information may have been impacted. In addition, based on the investigation and the information provided by AMCA, CBLPath estimates that approximately another 145,100 patients may have had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information impacted by this incident. For these patients, credit card and banking information is not impacted. The impact of this incident is limited to patients whose accounts were referred for debt collection and who reside in the United States.
Individuals with questions about this incident or questions about precautionary steps they can take may call 833-297-6409 for additional information.
CBLPath, Inc. takes the security of its patients’ information very seriously, including the security of data handled by vendors. As a result of the investigation, CBLPath is no longer using AMCA for collection efforts.
The privacy and protection of patient information is a top priority. CBLPath greatly appreciates the patience and loyalty of its patients as it works to respond to this incident.