3rd Party Risk Management , Cybercrime , Data Privacy

Medical laboratory testing giant Labcorp has agreed to pay $35 million to settle class action litigation stemming from a 2018 hacking incident on now-defunct American Medical Collections Agency. Labcorp reported the vendor breach to regulators in 2019 as affecting nearly 10.3 million patients.

See Also: Securing Agentic AI Demands Visibility

Settlement class members include all individuals for whom North Carolina-based Labcorp transmitted personal information to Retrieval-Masters Credit Bureau - which operated under the name American Medical Collection Agency - and whose data was contained in AMCA's computer systems during a cyber incident that occurred between August 2018 and March 2019.

Under the preliminary Labcorp settlement, each class member has two options for filing claims. That includes documented out-of-pocket losses or expenses up to $5,000 that are "reasonably traceable" to the AMCA hack, or an alternative pro-rata cash payment of about $50.

Settlement class members can also claim to receive two years of medical and healthcare information monitoring services.

Labcorp, which reported $14 billion in revenue in 2025, provides more than 2,200 patient testing locations in the U.S. and performed more than 750 million tests for patients worldwide last year. The company employs about 71,000 people and serves clients in about 100 countries, including support services for new drug development.

Labcorp in its 2025 financial earnings filing to the U.S. Securities and Exchange Commission noted its involvement "in pending and threatened litigation-related to the AMCA incident, as well as various government and regulatory inquiries and processes."

Under the proposed settlement Labcorp denies all allegations in the litigation - including claims of negligence and breach of contract, as well as all other charges of wrongdoing or liability.

"The settlement is not an admission of wrongdoing or an indication that defendant has violated any laws, but rather the resolution of disputed claims," the settlement website said.

A final "fairness" hearing for the settlement is scheduled for Aug. 20 in a New Jersey federal court.

As for the AMCA hack, the incident affected dozens of the firm's clients and about 24 million people nationwide, and led to the then-42-year-old New York-based company filing bankruptcy in 2019, just weeks after discovering the hack (see: AMCA Bankruptcy Filing in Wake of Breach Reveals Impact).

Besides Labcorp, other large medical testing firms affected by the AMCA hack included Quest Diagnostics and BioReference Laboratories.

The collection agency's hack exposed Social Security numbers, payment card information and, in some instances, names of medical tests and diagnostic codes.

AMCA first learned that the company might have a problem when it received a series of "Common Point of Purchase" notices in 2019 suggesting that a disproportionate number of credit cards that at some time had shown up on AMCA's web portal were later associated with fraudulent charges, court document said.

AMCA said it shut down its web portal to prevent any further compromises of customer data and engaged outside consultants who confirmed that AMCA's servers had been hacked as early as August 2018.

A coalition of 41 state attorneys general in 2021 reached a $21 million settlement with AMCA in the incident (see: Debt Collection Firm Reaches Breach Settlement With States.

The consent orders with the states required the company to implement data security practices, including developing and implementing an incident response plan, employing a CISO and hiring a third-party assessor to perform an information security assessment.

But because of AMCA's bankruptcy, the $21 million in fines owed to the states were suspended.

At the time of the AMCA incident, the hack was one of the largest involving a third-party vendor resulting in multiple large health data breaches among many clients.