ACN Healthcare
A medical billing company exposed patient records—SSNs, diagnoses, and insurance details from practices that outsourced their billing.
What happened?
ACN Healthcare, a medical billing and revenue cycle management company, disclosed a data breach affecting patient records from their client medical practices. Billing companies aggregate patient data from multiple providers—creating concentrated repositories of PHI that are valuable targets for attackers.
What data was actually inside?
Medical billing data is comprehensive: patient identifiers including SSNs, insurance policy details, diagnosis codes (ICD-10), procedure codes (CPT), and treatment descriptions. Every bill tells a story about what condition was treated and how much it cost.
Billing companies need this data to submit claims. The data they hold is as sensitive as what the treating providers hold—sometimes more comprehensive because it spans multiple practices.
Who gets hurt and how?
Patients of every medical practice that used ACN for billing. They saw their doctor; ACN handled the billing. They had no relationship with ACN, probably never heard of them, but their SSN and medical history are now exposed.
Medical identity theft is particularly damaging—false claims filed under your identity can affect your medical records, insurance coverage, and credit. Diagnosis information can be used for discrimination or blackmail.
What did they think they were doing right?
ACN Healthcare operates under HIPAA as a business associate. They have BAAs with their provider clients. They have compliance programs and security controls. Medical practices outsourced billing to ACN specifically because billing is complex and ACN is supposed to handle it securely.
The outsourcing decision was partly about efficiency and partly about assuming someone else would handle compliance. The risk transferred with the data.
What did they not know about their own data?
ACN didn't know—or couldn't protect—how much sensitive data had accumulated across their systems. Billing companies keep years of data for audit purposes, dispute resolution, and analytics. Each year adds more patient records. Each client adds more practices. The pile grows.
They knew they had PHI. They didn't know how exposed it was or how much would be accessed in a breach.
What does attribution look like the morning after?
ACN had to notify their provider clients, who then had to notify their patients. The chain creates confusion: patients receive letters about a company they've never heard of breaching their medical data. Providers face questions about why they trusted ACN with patient data.
Under HIPAA, business associates have direct compliance obligations. ACN faces HHS OCR investigation and potential penalties independent of their client relationships.
What would have changed the outcome?
Knowing exactly what PHI exists and implementing data minimization.
If ACN had inventoried their data—understanding what they held, why they held it, and whether they still needed it—they could have reduced their exposure by purging old records and protecting what remained. Billing companies don't need to keep every record forever. They do anyway, creating unnecessary liability.
Don't Learn What You Have From an Attacker
ACN didn't know what patient data was at risk until it was breached. Risk Finder shows you first.
Start Your Risk Assessment