The tentacles of a breach at the American Medical Collection Agency, a medical debt collector, continue to claim victims. The latest, Clinical Pathology Laboratories, Inc., a network of more than 100 pathologists based in Texas, acknowledged this week that 2.2 million of its patients had their data compromised by the breach.

The 2.2 million join at least 20 million others, including patients at healthcare companies like Quest Diagnostics, LabCorp, Carecentrix, BioReference Laboratories, and Sunrise Laboratories, as victims implicated in the breach.

The Texas facility disclosed that it was a victim on Friday, confirming it was notified by AMCA in May – presumably around the same time it notified Quest Diagnostics and Optum360, a Quest contractor – but didn't receive enough information about which employees were affected, something which forced it to delay its own breach announcement.

Like many of the facilities, Clinical Pathology Laboratories used AMCA as its collection agency.

In the notice CPL confirmed it’s no longer using AMCA for collection efforts. It's unclear whether AMCA will continue to operate; the company looks poised shutter after filing for Chapter 11 bankruptcy last month.

According to CPL, patient names, addresses, phone numbers, dates of birth, dates of service, balance information, credit card or banking information and treatment provider information may have been impacted by the breach. While for some entities the AMCA breach resulted in compromised Social Security numbers that doesn't appear to be the case with CPL's patients; ". AMCA has advised CPL that its patients’ social security numbers were not involved in the incident," the statement reads.

AMCA said Social Security numbers were among the data compromised for roughly 11.9 million patients of Quest Diagnostics.

We learned last month that the breach may have occurred as early as August 2018 but wasn't uncovered until March this year when it received a number of CPP notices that implied that credit cards used on its web portal had been associated with fraudulent charges. CPP, or Common Point of Purchase notifications, issued by payment companies like Visa, MasterCard, and Discover, can help identify at risk or compromised cards by analyzing patterns in spending vendor by vendor.

The breach is quickly turning into one of the biggest healthcare supply chain stories of the year.

The fact that AMCA didn't know about the breach until eight months after it happened is certainly concerning but it's equally troubling that many of its clients, large healthcare organizations, didn't fully know the scope of the attack until months later. CPL said last week that its investigation into exactly which of patients were impacted is still ongoing.

The disclosure came the same day Sen. Robert Menendez (D-N.J.) – a politician who sought answers from Quest Diagnostics after it announced that it was part of the breach - renewed calls pressing for AMCA executives to answer questions about the hack in front of Congress.

“We cannot allow this company to escape its responsibility to patients and ignore our legitimate questions by hiding behind bankruptcy,” Menendez told the Washington Post on Thursday.