Labcorp to Pay $35 Million to Settle Class Action Over 2018 AMCA Data Breach
Labcorp has agreed to a $35 million settlement to resolve a class-action lawsuit stemming from the 2018 breach of its third-party vendor, American Medical Collections Agency, which exposed data of nearly 10.3 million patients.
Medical diagnostics giant Labcorp has agreed to pay $35 million to settle a class-action lawsuit arising from the 2018 data breach at its former vendor, American Medical Collections Agency (AMCA). The breach, which affected nearly 10.3 million Labcorp patients, exposed sensitive personal and medical information including Social Security numbers, payment card details, and diagnostic test codes. The settlement, filed in New Jersey federal court, aims to compensate individuals whose data was compromised during the incident that occurred between August 2018 and March 2019.
Under the terms of the preliminary settlement, class members can claim documented out-of-pocket losses up to $5,000 that are "reasonably traceable" to the AMCA hack, or an alternative pro-rata cash payment of approximately $50. Additionally, affected individuals are eligible for two years of medical and healthcare information monitoring services. Labcorp, which reported $14 billion in revenue in 2025 and operates over 2,200 patient testing locations in the U.S., denies all allegations of negligence, breach of contract, or other wrongdoing in the settlement agreement.
The AMCA breach was one of the largest third-party vendor incidents in healthcare history, ultimately affecting about 24 million people across dozens of the collection agency's clients. Besides Labcorp, other major medical testing firms impacted included Quest Diagnostics and BioReference Laboratories. The incident forced AMCA, a 42-year-old New York-based company, to file for bankruptcy in 2019 just weeks after discovering the intrusion. A coalition of 41 state attorneys general later reached a $21 million settlement with AMCA, though those fines were suspended due to the company's bankruptcy.
The breach came to light when AMCA received a series of "Common Point of Purchase" notices in 2019, indicating that a disproportionate number of credit cards that had appeared on AMCA's web portal were later associated with fraudulent charges. AMCA subsequently shut down its web portal and engaged outside consultants, who confirmed that the company's servers had been compromised as early as August 2018. The incident highlighted significant supply-chain security risks in healthcare, where third-party vendors often have access to vast amounts of sensitive patient data.
Labcorp disclosed the vendor breach to regulators in 2019, and the ensuing litigation has dragged on for years. In its 2025 financial earnings filing with the U.S. Securities and Exchange Commission, the company noted its involvement "in pending and threatened litigation related to the AMCA incident, as well as various government and regulatory inquiries and processes." The proposed settlement is not an admission of wrongdoing, according to the settlement website, but rather "the resolution of disputed claims."
A final "fairness" hearing for the settlement is scheduled for August 20 in a New Jersey federal court. If approved, the settlement will provide some closure for the millions of patients whose data was exposed, while also serving as a stark reminder of the cascading consequences of third-party data breaches in the healthcare sector. The case underscores the critical importance of rigorous vendor risk management and the potential financial liabilities that can arise from supply-chain security failures.