A data breach has a long memory. The intrusion that drives LabCorpโ€™s $35 million settlement began in August 2018 and was not contained until March 2019. The settlement received preliminary court approval on April 21, 2026 โ€” roughly seven years after the first unauthorized login. In the interval, the company at the center of the breach, the American Medical Collection Agency, ceased to exist. Yet the liability did not die with the vendor. It flowed upstream, to the brands that had handed AMCA their patientsโ€™ data, and it is those brands โ€” LabCorp foremost among them โ€” that are now writing the checks.

This is the defining feature of modern third-party risk. The party that fails is rarely the party that pays. AMCA collapsed in the aftermath of the breach, leaving no deep pocket and no functioning entity to be held to account. The affected individuals were not AMCAโ€™s customers; most of them had never heard of it. They were LabCorp patients, Quest patients, and the patients of a long list of other laboratories and providers that had quietly routed unpaid balances to the same downstream collection agency. When the breach surfaced, the recognizable name on the lawsuit โ€” and the recognizable name in the headlines โ€” was the lab, not the collector.

What happened at AMCA, and why so many labs were hit

The American Medical Collection Agency specialized in collecting small-balance medical debts. It was a back-office function, the kind of unglamorous service that healthcare organizations outsource precisely because they do not want to staff it internally. To do its job, AMCA needed data: it needed to know who owed what, for which services, and how to reach them. That meant the agency held Social Security numbers, payment-card and bank-payment information, and โ€” because medical billing is inseparable from clinical billing โ€” medical test and diagnostic codes describing what each patient had been tested for.

Between August 2018 and March 2019, attackers had access to AMCAโ€™s systems. By the time the intrusion was understood, the breach affected more than 21 million individuals across AMCAโ€™s client base. More than 10 million of them were LabCorp patients. The compromised data was not limited to billing minutiae; it included Social Security numbers, payment information, and the diagnostic codes that turn a billing record into a sensitive medical disclosure.

The reason the damage spread so widely is structural, and it is the single most important fact for any compliance team to absorb. AMCA was a shared downstream vendor. It sat below multiple healthcare organizations in the data supply chain, aggregating the patient records of many separate clients into one set of systems. Each lab had performed its own diligence, signed its own contracts, and made its own assessment of AMCAโ€™s adequacy. But they were all relying on the same controls at the same vendor. A single point of failure at AMCA became a simultaneous failure for every organization that used it. Concentration risk of this kind is invisible on any one companyโ€™s vendor questionnaire, because the questionnaire only asks about your relationship โ€” not about the dozens of other relationships your vendor is carrying behind it.

The core lesson: downstream liability under HIPAA

Healthcare organizations do not get to outsource their accountability along with the work. Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity โ€” a laboratory like LabCorp qualifies โ€” remains responsible for the protected health information (PHI) it holds, even when that information is in the hands of a vendor. A medical debt collector that handles PHI to perform billing and collection services is, by definition, a business associate under HIPAA. AMCA was a business associate, and that classification is the legal hinge on which the entire matter turns.

Three HIPAA concepts explain why the lab, and not just the defunct collector, ends up answerable.

The Business Associate Agreement (BAA). Before a covered entity may disclose PHI to a business associate, HIPAA requires a written contract โ€” the BAA โ€” that obligates the associate to safeguard the information, to use it only for permitted purposes, to report breaches, and to impose equivalent obligations on its own subcontractors. The BAA is the mechanism through which a covered entity extends its compliance obligations down the chain. But a contract is only as good as the conduct it governs. A BAA that recites the regulatory language and is then filed and forgotten provides documentation, not protection. It does not, on its own, cause the vendor to actually encrypt data, segment networks, or detect a seven-month intrusion.

The HIPAA Security Rule. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI: access controls, audit logging, encryption where reasonable and appropriate, risk analysis, and ongoing risk management. Business associates are directly subject to the Security Rule โ€” they can be liable to regulators in their own right. But that direct liability does not relieve the covered entity. A covered entity is expected to obtain satisfactory assurances that its associates will implement these safeguards, and to act on knowledge that they are not. An intrusion that persists from August 2018 to March 2019 is, on its face, a failure of detection and monitoring that the Security Rule is designed to prevent.

The breach-notification chain. When a business associate suffers a breach, HIPAA requires it to notify the covered entity, which in turn must notify affected individuals, the Department of Health and Human Services, and in large breaches the media. The covered entity carries the public-facing notification duty. This is why the patient learns of the breach from LabCorp, sues LabCorp, and reads about LabCorp โ€” the notification architecture itself routes reputational and legal exposure back to the brand. The vendor failed in private; the covered entity answers in public.

The AMCA episode is part of a broader pattern in which large consumer-facing organizations absorb the cost of failures they did not directly commit. For a parallel from outside healthcare, see the Comcast settlement and the broader breach-litigation wave, where a vendor compromise translated into a brand-level payout. The throughline is consistent: plaintiffs sue the party with assets and recognition, and that party is almost never the breached vendor.

The settlement: structure and what claimants receive

LabCorp agreed to a $35 million settlement to resolve the class action alleging that AMCA โ€” the agency LabCorp used to recover outstanding medical debts โ€” failed to adequately safeguard sensitive personal information. The fund is structured to give class members a choice between two cash paths, plus a set of protective services.

  • Documented-loss claim of up to $5,000. Class members who can document out-of-pocket losses traceable to the breach โ€” including expenditures on legal services and credit monitoring โ€” may submit a claim for reimbursement up to $5,000.
  • Flat claim of $50 with no proof required. Class members who do not wish to gather documentation may instead claim a flat $50 payment without submitting evidence of loss.
  • Two years of protection. Class members may also receive two years of medical information monitoring and identity theft insurance, addressing the long-tail nature of the harm โ€” stolen Social Security numbers and diagnostic codes retain value to criminals long after the breach.

The procedural calendar sets a single date as both the claims deadline and the milestone for final review: the deadline to submit a claim is September 3, 2026, and the final fairness hearing is scheduled for the same day, September 3, 2026.

The tiered structure reflects a familiar tension in data-breach settlements. Most class members will never be able to trace a specific dollar of loss to a specific breach, so the no-proof option ensures broad participation, while the documented-loss tier preserves meaningful recovery for those who suffered concrete, demonstrable harm. The monitoring and insurance components acknowledge a reality that a one-time cash payment cannot: the exposure does not expire when the check clears.

What healthcare and compliance teams should do

The AMCA breach is old, but the conditions that produced it are entirely current. Most organizations still have a shared downstream vendor sitting somewhere in their billing, collections, claims, or analytics chain. The following practices address the specific failures this case exposes.

Conduct real vendor due diligence, not paperwork diligence. A signed questionnaire is a starting point, not an assessment. Before sending PHI to a vendor, verify the existence of independent security attestations (such as SOC 2 Type II or HITRUST), review the results of their most recent risk analysis, and confirm specific technical controls โ€” encryption at rest and in transit, multi-factor authentication, audit logging, and intrusion detection. Treat collection agencies and other back-office vendors with the same rigor as a clinical system; the sensitivity of the data does not decrease because the function is unglamorous.

Write BAAs with teeth. Move beyond regulatory boilerplate. Require breach notification within a defined, short window. Reserve audit and inspection rights. Mandate that the vendor flow equivalent obligations to its own subcontractors and disclose who those subcontractors are. Pair the BAA with contractual indemnity so that a vendor failure carries a financial consequence the vendor must bear โ€” a provision that is only meaningful if the vendor is solvent and adequately insured, which is itself a diligence item.

Monitor continuously, not at onboarding. The AMCA intrusion lasted roughly seven months. Point-in-time diligence at contract signing would not have caught it. Build continuous monitoring of critical vendors: periodic reassessment, security-rating feeds, breach-disclosure tracking, and contractual reporting obligations that surface problems while they are still containable.

Minimize what the vendor receives. A collection agency needs enough information to collect a debt. It rarely needs the full clinical record, and the inclusion of granular diagnostic codes in the AMCA data set magnified the harm. Apply data minimization to every vendor disclosure: send the least sensitive data set that allows the vendor to perform its function, tokenize or truncate identifiers where possible, and question every field before it leaves your environment.

Map your fourth parties. Your vendor has vendors. The concentration risk that made AMCA catastrophic โ€” many labs relying on one collector โ€” is the kind of exposure that only becomes visible when you map beyond your direct relationships. Ask each critical vendor to disclose its own material subcontractors, and look for the single points of failure your competitors are also depending on.

Compliance checklist

  • Classify every vendor that touches PHI as a business associate and confirm a current, substantive BAA is in place.
  • Replace questionnaire-only diligence with verified evidence of technical controls and independent attestations.
  • Negotiate short breach-notification windows, audit rights, subcontractor disclosure, and indemnity into the BAA.
  • Stand up continuous monitoring for critical vendors; do not rely on onboarding-time assessment.
  • Apply data minimization to every disclosure โ€” send the least sensitive data the vendor needs.
  • Map fourth-party subcontractors and identify shared downstream vendors that create concentration risk.
  • Verify that high-risk vendors are solvent and carry adequate cyber insurance, so that indemnity is collectible.
  • Treat the public-facing breach-notification duty as your own; design your incident-response plan around the assumption that you, not the vendor, will face the affected individuals.

Conclusion

The LabCorp settlement is a reminder that data, once shared, never fully leaves your responsibility. AMCA made the security decisions that led to the breach, but AMCA is gone, and the patients it exposed were never its customers. The accountability landed where HIPAA and the litigation incentives always send it: on the covered entity with the recognizable name and the assets to satisfy a judgment. Seven years and one defunct vendor later, $35 million is the price of a downstream failure that diligence, contracts with teeth, continuous monitoring, and data minimization were meant to prevent. The vendorโ€™s breach became the brandโ€™s liability โ€” as it almost always does.

This article is provided for informational purposes only and does not constitute legal advice.