Open Season for Bigger Threats and Breaches


Prior to now, the Accounts Receivable Management industry had not been on the radar from a hacker/bad actor standpoint. The AMCA breach changed that landscape. The tally of this breach reached more than 20 million patients. There’s a trend that continues to happen with bad actors, when they see opportunity. It’s like sharks and blood in the water.

Organizations that do servicing for medical billing have multiple compliance standards to adhere to; PCI, HIPAA, HITRUST, and SOC. Yet, beaches still occur. In this case because of the nature and size of AMCA clients the outcome was devastating to AMCA.  As their terms it was a ‘cascade of events’ that forced them to declare bankruptcy.

Looking back at the risk involved and the events that occurred there are points that other organizations should consider. Breach detection occurred in March 2019 when a high number of credit cards tied to its web portal were connected with a high number of fraudulent charges. The business had 113 staff members managing a high-volume of receivables with very small balances. From an employee count perspective this is an organization on the smaller side. The balances per account could very well be less than the average cost per record cost for data breach notification. Breach notification has been inching up each year, the 2019 Cost of a Data Breach reports it at $150/record. Basing risk on the number of employees as a key assessment on the type of security and IT coverage needed, wouldn’t take into account this level of elevated risk when the business is handling volumes of sensitive data. Organizations should look at their threat detection capabilities, and incident response coverage as a function of their risk. Threat detection within security management has been supported by a new wave of technologies that go beyond looking at malware but tie in behavioral analytics and ability to quickly or automatically quarantine or remove network access. When a business grows in risk or in numbers so too should the security technologies that support them. There are too many ways that the bad guys can maneuver into your organization. A balance between protection and detection is needed.

In 2015 AMCA did a transition from a proprietary system to a server-based, network-connected system with IT consultants and a focus on data security protocols, according to the bankruptcy filing. While the change itself shows a concern about the new system and protecting data, there are many other aspects after implementation to consider. Assessing and prioritizing the vulnerabilities in any technology change is critical. Keeping up to date on the security maintenance is difficult, especially as there is a well-documented shortage of security engineers across all industries. Vulnerabilities leave open the opportunity for reconnaissance, test threat detection and allow for remote execution. While not the only way to penetrate an organization, it is an easy one to remotely assess and guide the robustness of security management. For AMCA outward detection of the breach occurred in March 2019, but investigation found indicators of dwell time by the bad actor as far back as April 2018. Over 300 days keeping under the radar of detection. To a bad actor that’s in your organization, that amount of time allows them to probably accomplish pretty much any objective that they have.

When one major player in an industry falls, there is a larger target on others in the field. Why? Because, the bad actors have a proven a win with their playbook of tactics. They know the similar timings, software, applications, systems, and third-party vendors most likely used. This is why compliance is critical, ensuring the baseline of security for the industry. However, it doesn’t have the ability to warn of higher than normal threat conditions or prevent attacks on similar organizations once a proven exploit is found.

The bad actors have figured this out. They’ve gotten more and more sophisticated in terms of the way they can approach an organization. Automated malware-as-a-service, and buying profiles, credentials, and social network tidbits are now accessories to their hunt. Phishing emails are a great example where compliance helps with asserting security training, but in the end it’s a numbers game. If I send enough information out, someone will actually click on an email link. The bad actors have gotten really particular to make sure that they appear, and sound legitimate.  92 percent of malware, ultimately, that gets into the organization is delivered by email according to 2019 Verizon Data Breach Investigations Report.

Some look at this problem and ask: “Why would a bad guy come after me?”  They aren’t necessarily coming after you. This breach, for anyone in the ARM industry, is not about being big enough or not. It’s really about the kinds of data that you have access to. For them, obtaining cardholder data, or partial healthcare information, is profitable. Data lakes are being mined and matched, gathered from an ecosystem of dark markets, making them grow in value on a per record basis.

No matter what size you start out today, investment in technologies are increasing business speed and volume, that also introduces complexity. These three attributes are beloved with the bad actors, it gives them plenty of noise and distraction to mask their movements.

Compliance just cannot keep pace with the changing threat landscape.  It takes time to write and approve changes. Then there is the grace period allowed giving companies time to implement and adopt the new process. Meanwhile a whole new generation of threats have emerged as is their ability to continually adapt and keep testing for weakness in security at digital speed.

TECH LOCK will continue to share these challenges to help organizations make informed decisions around risk and level of security they may need to consider. Our team of security engineers and independent threat researchers continue to identify ways that organizations can improve their security posture within a reasonable cost and leverage the latest technology advantages. To learn more contact us to set up a briefing.