2019-06-06 OPKO HEALTH, INC. Cybersecurity Incident

Page last updated on April 11, 2024

OPKO HEALTH, INC. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2019-06-06 08:35:50 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date: 2019-03-30
Detected Date:
Disclosure Date: 2019-06-03
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2019-06-06

OPKO HEALTH, INC. filed an 8-K at 2019-06-06 08:35:50 EDT
Accession Number: 0000944809-19-000039

Item 7.01 Regulation FD Disclosure.

On or around June 3, 2019, BioReference Laboratories, Inc. (“BioReference”), a subsidiary of OPKO Health Inc. (the “Company”), was notified by Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency (“AMCA”) about unauthorized activity on AMCA’s web payment page (the “AMCA Incident”). AMCA is an external collection agency that has been used in the past by BioReference and other healthcare companies. According to AMCA, the unauthorized activity occurred between August 1, 2018, and March 30, 2019. AMCA has advised BioReference that data for approximately 422,600 patients for whom BioReference performed testing was stored in the affected AMCA system. AMCA advised that AMCA’s affected system includes information provided by BioReference that may have included patient name, date of birth, address, phone, date of service, provider, and balance information. In addition, the affected AMCA system also included credit card information, bank account information (but no passwords or security questions) and email addresses that were provided by the consumer to AMCA. AMCA has advised BioReference that no Social Security Numbers were compromised, and BioReference provided no laboratory results or diagnostic information to AMCA. BioReference has not been able to verify the accuracy of the information received from AMCA.

AMCA advised BioReference that it is sending notices to approximately 6,600 patients for whom BioReference performed laboratory testing and whose credit card or bank account information was stored in AMCA’s affected system. AMCA indicated that it will provide these affected patients with more specific information about the AMCA Incident in addition to offering them identity protection and credit monitoring services for 24 months. AMCA has not yet provided BioReference a list of the affected patients or more specific information about them. AMCA has advised BioReference that AMCA is providing notice to state attorneys general and other state agencies as required by applicable state data breach laws.

AMCA has reported to BioReference that it is continuing to investigate this incident, has reported the AMCA Incident to law enforcement and has taken steps to increase the security of its systems, processes, and data, including shutting down its web payments page, migrating it to a third-party vendor, and hiring a cybersecurity firm to implement various safeguards to increase security. BioReference and the Company take data security very seriously, including the security of data handled by vendors. BioReference is currently seeking to obtain more information from AMCA and plans to promptly take additional steps as may be appropriate once more is known about the AMCA Incident.

BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA. In addition, BioReference has requested that AMCA cease continuing to work on any pending collection requests involving BioReference patients.

Company Information