OPKO Health Announces Customer Data Breach as Part of the AMCA Incident

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer
Image Source: opko.com

OPKO Health Inc., the Miami-based medical products, diagnostics, and pharmaceuticals company has announced a customer data breach that affects about 422600 of their customers. The records concern clients from all around the globe, as the company has a presence in 30 different countries through its subsidiaries. As we discussed only two days ago, when we presented the LabCorp breach, the company responsible for this mess is AMCA (American Medical Collection Agency). AMCA has been breached by hackers, and since the company has many collaborators, we will keep seeing news like this surface every day.

Last week, it was LabCorp with 7.7 million customers and a couple of days earlier than that it was Quest Diagnostics with 12 million patient data. This makes the OPKO Health number of exposed people pale in comparison to the above, but 422.6k records are by no means a laughable amount, especially when it concerns highly sensitive diagnostics or even payment information. According to the information that surfaced through the filing with the U.S. Securities and Exchange Commission (AMCA hasn’t disclosed anything about this to the press yet), the customer data that was leaked to the public includes patient name, DoB, address, phone, date of service, provider, and balance information.

About 6600 of the patients that have been exposed had credit card and bank account information in their data, so this group will be notified by a separate letter sent by AMCA. What has not been leaked is the Social Security Numbers of the patients. OPKO says that since no collection request have been sent to AMCA since October 2018, patients who enjoyed their services after that date cannot have been compromised. As with the previous cases, AMCA is still investigating the incident and is not ready to share any information about how the breach happened. However, the indications show that it has to do with the payment webpage, which has been taken down now.

AMCA is a large entity with numerous collaborators, so we are bound to see more of the same type of stories in the following days. The billing collections company is obliged by law to inform the SEC office of what has happened, as long as the breaches involve a certain number of people and above. For the smaller ones, we’ll have to wait and see what pops up on darknet marketplaces, bundled for sale and promoted as “pure”.

What would be a fair penalty for AMCA, who has already surpassed the leaked record number 20 million? Let us know in the comments down below, and share this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: