Overview
LabCorp has reached a $35 million settlement resolving litigation tied to the 2019 breach at American Medical Collection Agency (AMCA), a debt-collection vendor doing business as Retrieval-Masters Creditors Bureau Inc. The breach, which ran undetected for months, exposed sensitive patient data held by AMCA on behalf of multiple healthcare clients. LabCorp notified HHS in July 2019 that 10,251,784 of its patients were affected, making it one of the largest single-entity patient counts to emerge from the incident.
AMCA's breach was among the most consequential healthcare vendor compromises of the last decade. Attackers accessed AMCA's payment portal over an extended period, harvesting patient names, dates of birth, addresses, phone numbers, dates of service, balance information, and in some cases payment card and bank account details. Because AMCA served multiple laboratory and healthcare clients simultaneously, the total number of individuals exposed across all affected organizations ran into the tens of millions.
The settlement against LabCorp centers on the company's obligations as a covered entity responsible for the downstream handling of patient data by its business associates. The case illustrates a recurring theme in HIPAA enforcement and civil litigation: covered entities bear accountability for breaches that originate within their vendor supply chains.
## Key developments
Scale of LabCorp's exposure. LabCorp's July 2019 HHS notification identified 10,251,784 affected individuals — a figure placing the incident among the largest healthcare breaches ever reported to the federal government at the time. The breadth of the exposure drove the litigation that ultimately produced this settlement.
Business associate liability as the central legal theory. Plaintiffs argued that LabCorp failed to adequately vet and monitor AMCA's data-handling and security practices before entrusting the vendor with patient account information. This mirrors the theory regulators and plaintiffs' attorneys have applied in numerous post-breach actions: the covered entity's duty of care does not stop at its own perimeter.
AMCA's collapse following disclosure. After the breach became public in mid-2019, AMCA filed for bankruptcy protection, effectively ending its ability to pay damages directly. That outcome shifted litigation pressure onto the healthcare clients that had sent patient data to AMCA, including LabCorp and Quest Diagnostics, both of which faced separate class actions.
Years-long litigation trajectory. The settlement, reached in 2026, closed a legal proceeding that began nearly seven years earlier. The prolonged timeline reflects the complexity of multi-party class actions involving vendor breaches, and signals that organizations facing similar claims should expect litigation costs to compound well beyond the breach-response phase.
Industry impact
The AMCA incident remains a reference case for the cost of third-party vendor risk in healthcare. According to IBM's Cost of a Data Breach Report, healthcare has recorded the highest average breach cost of any industry for more than a decade, with third-party involvement consistently identified as a factor that extends both the detection timeline and the ultimate financial impact. Breaches that originate at business associates are particularly damaging because the covered entity typically has limited visibility into the vendor's internal controls until after an incident surfaces.
OCR enforcement data shows that business associate agreements and vendor oversight have been named deficiencies in a significant share of HIPAA resolution agreements. The AMCA case did not result in a separate OCR civil monetary penalty against LabCorp, but the $35 million civil settlement demonstrates that plaintiffs' litigation can impose costs at a scale comparable to, or exceeding, regulatory fines — even when no OCR action follows.
For independent practices, the lesson is direct: patient data sent to billing companies, collection agencies, clearinghouses, or any other downstream vendor carries the practice's implicit accountability. If that vendor is breached, the practice may face regulatory scrutiny, breach-notification costs, and civil exposure regardless of where the attack originated.
## What this means for independent practices
- Audit every active business associate agreement. Confirm that BAAs are in place with all vendors that receive, process, or store PHI — including collection agencies, billing services, and clearinghouses. A missing or outdated BAA removes a foundational legal protection.
- Require evidence of vendor security controls before contracting. Ask prospective and current vendors for SOC 2 Type II reports, third-party penetration test summaries, or equivalent documentation. Accepting a vendor's self-attestation without supporting evidence transfers risk to the practice.
- Limit the PHI you send to vendors. Transmit only the data fields a vendor requires to perform its function. If a collection agency does not need dates of service or clinical codes to pursue a balance, do not include them.
- Build a vendor review cycle into annual compliance work. Relationships with collection and billing vendors often persist for years without re-evaluation. An annual review should confirm that security commitments in the BAA still reflect the vendor's current practices.
- Plan for vendor insolvency scenarios. The AMCA bankruptcy left affected covered entities holding litigation risk with no practical recourse against the vendor. Incident-response planning should include a protocol for what happens when a breached vendor cannot participate in remediation or notification.
When a vendor holding patient data is compromised, the covered entity's notification obligations, regulatory exposure, and civil liability activate regardless of where the failure occurred. Practices that treat vendor oversight as a one-time contracting step rather than an ongoing discipline will find themselves in the same position LabCorp faced: defending a breach they did not directly cause but remained legally accountable for.
What would have prevented this
Formal vendor risk assessments before onboarding. Evaluating a vendor's security controls, data-handling policies, and breach-response capabilities before transmitting any PHI would allow practices to identify gaps — and either require remediation or select a different vendor — before patient data changes hands.
Contractual security minimums in business associate agreements. BAAs should specify not just HIPAA-required language but concrete security obligations: encryption standards, access control requirements, incident notification timelines, and the right to audit. Vague BAA language gives the covered entity little leverage when a vendor's controls prove inadequate.
Continuous monitoring of third-party access. Network and application-level monitoring that tracks what data moves to which vendors, and flags anomalous outbound transfers, can shorten the detection window for breaches that originate downstream. AMCA's breach persisted for months partly because affected clients had no visibility into the vendor's environment.
Data minimization and field-level controls. Transmitting only the minimum PHI necessary for a vendor to perform its contracted function limits the potential damage if that vendor is compromised. Payment card and bank account data, in particular, should not travel to vendors unless their collection or processing is the explicit service being purchased.
Incident-response planning that accounts for third-party breaches. A practice's breach-response plan should include procedures for scenarios where a vendor — not the practice itself — is the source of a notification. This means knowing which vendors hold PHI, having contact escalation paths for each, and understanding the practice's independent notification obligations under the HIPAA Breach Notification Rule regardless of what the vendor reports or fails to report.