[BreachExchange] Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

Destry Winant destry at riskbasedsecurity.com
Fri Mar 12 10:31:55 EST 2021


https://www.hipaajournal.com/multistate-settlement-resolves-2019-american-medical-collection-agency-data-breach/

A coalition of 41 state Attorneys General has agreed to settle an
investigation into Retrieval-Masters Creditors Bureau dba American
Medical Collection Agency (AMCA) over a 2019 data breach that resulted
in the exposure/theft of the protected health information of 21
million Americans.

Retrieval-Masters Creditors Bureau is a debt collection agency, with
its AMCA arm providing small debt collection services to healthcare
clients such as laboratories and medical testing facilities.

>From August 1, 2018 until March 30, 2019, an unauthorized individual
had access to AMCA’s systems and exfiltrated sensitive data such as
names, personal information, Social Security numbers, payment card
information and, for some individuals, medical test information and
diagnostic codes. The AMCA data breach was the largest healthcare data
breach reported in 2019.

AMCA notified states about the breach starting June 3, 2019, and
individuals affected by the breach were offered two years of
complimentary credit monitoring services. The high cost of remediation
of the breach saw AMCA file for bankruptcy protection in June 2019.

The multi-state investigation into the breach was led by the Indiana,
Texas, Connecticut, and New York Attorneys General, with the Indiana
and Texas AGs also participating in the bankruptcy proceedings to
ensure that the investigation continued, and the personal and
protected health information of breach victims was protected. AMCA
received permission from the bankruptcy court to settle the multistate
action and filed for dismissal of the bankruptcy on December 9, 2020.

The multistate investigation confirmed information security
deficiencies contributed to the cause of the breach and despite AMCA
receiving warnings from banks that processed AMCA payments about
fraudulent use of payment cards, AMCA failed to detect the intrusion.

Under the terms of the settlement, AMCA is required to create and
implement an information security program, develop an incident
response plan, employ a qualified chief information security officer
(CISO), hire a third-party assessor to perform an information security
assessment, and continue to assist state attorneys general with
investigations into the data breach.

A financial penalty of $21 million has been imposed on AMCA which will
be distributed pro rata between the affected states; however, due to
the financial position of the company, the $21 million financial
penalty has been suspended. That payment will only need to be made if
AMCA defaults on the terms of the settlement agreement.

“AMCA is a cautionary tale: When a company does not adequately invest
in information security, the costs associated with a data breach can
lead to bankruptcy – destroying the business and leaving affected
individuals in harm’s way,” said Connecticut Attorney General Tong.
“My office will continue to work to protect personal information even
where the business that had the responsibility to do so cannot.”

“AMCA’s security failures resulted in 21 million Americans having
their data illegally accessed. I am committed to protecting New
Yorkers’ personal data and will not hesitate to hold companies
accountable when they fail to safeguard that information,” said New
York Attorney General Letitia James. “Today’s agreement ensures that
the company has the appropriate security and incident response plan in
place so that a failure like this does not take place again.”

Indiana, Texas, Connecticut, and New York led the investigation and
were assisted by Florida, Illinois, Maryland, Massachusetts, Michigan,
North Carolina, and Tennessee. The Attorneys General of Arizona,
Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho,
Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri,
Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio,
Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah,
Vermont, Virginia, Washington, and West Virginia also joined the
settlement.


More information about the BreachExchange mailing list