2019 American Medical Collection Agency Data Breach Investigation Ends in Multistate Settlement

An alliance of 41 state Attorneys General has decided to resolve an investigation of the 2019 data breach involving Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) that led to the compromise/theft of the protected health information (PHI) of about 21 million U.S. citizens.

Retrieval-Masters Creditors Bureau is an agency engaged in debt collection. Its AMCA arm offers small debt collection services to medical care clients, for instance, laboratories and medical testing centers.

From August 1, 2018 to March 30, 2019, an unauthorized person got access to AMCA’s systems and exfiltrated sensitive information like names, personal data, Social Security numbers, payment card details, and, for certain people, medical test data and diagnostic codes. The AMCA data breach was the biggest healthcare data breach documented in 2019.

AMCA informed states regarding the breach beginning June 3, 2019, and people impacted by the breach were given two years of free credit monitoring services. Because of the huge cost of breach remediation, AMCA had to file for bankruptcy protection last June 2019.

The Indiana, Connecticut, New York, and Texas Attorneys General led the multi-state investigation of the AMCA breach. The Texas and Indiana AGs likewise took part in the bankruptcy proceedings to make sure that the investigation carried on, and the personal data and PHI of breach victims were secured. AMCA obtained authorization from the bankruptcy court to negotiate the multistate action and requested for termination of the bankruptcy last December 9, 2020.

The multistate investigation affirmed that information security inadequacies contributed to why the breach occurred and in spite of AMCA getting notices from banking institutions that processed AMCA payments regarding fraudulent usage of payment cards, AMCA still did not identify the attack.

The terms of the settlement required AMCA to make and follow an information security plan, create an incident response program, hire a competent chief information security officer (CISO), employ a third-party evaluator to conduct an information security evaluation, and continue to help state attorneys general with the data breach investigations.

A $21 million financial penalty was charged to AMCA which will be allocated pro-rata among the impacted states; nonetheless, because of the company’s financial position, the $21 million financial penalty was put on hold. That payment will just be required if AMCA fails to follow the conditions of the settlement agreement.

When a business doesn’t sufficiently invest in information security, a data breach can cost a lot leading to bankruptcy – ruining the business and harming the affected people. AMCA’s security problems allowed illegal access to 21 million Americans’ data. State AGs should be committed to safeguarding the state citizens’ personal information and should hold companies responsible when they neglect to protect that information. The AMCA settlement agreement makes certain that the company implements the necessary security and incident response plan in order that such a failure won’t happen again.

Connecticut, Indiana, Texas, and New York were on top of the investigation while Florida, Illinois, Massachusetts, Maryland, Michigan, Tennessee, and North Carolina assisted the investigation. The Attorneys General of Arizona, Arkansas, the District of Columbia, Colorado, Georgia, Hawaii, Iowa, Idaho, Louisiana, Kansas, Kentucky, Maine, Missouri, Minnesota, Nebraska, New Hampshire, Nevada, New Jersey, New Mexico, Oklahoma, Ohio, Oregon, Pennsylvania, South Carolina, Rhode Island, Utah, Virginia, Vermont, West Virginia, and Washington likewise joined the settlement.