American Medical Collection Agency or AMCA has agreed to resolve a multistate investigation into a 2019 data breach that exposed the personal information of more than 7 million people, and possibly exposing the personal information of up to 21 million throughout the United States.
AMCA specialized in small-balance medical debt collection mainly for laboratories and medical testing facilities.
An unauthorized user gained access to AMCA’s internal system from August 1, 2018, through March 30, 2019.
AMCA failed to detect the intrusion, despite warnings from banks that processed its payments, said Nevada Attorney General Aaron D. Ford. The unauthorized user was able to collect personal information, including Social Security numbers, payment card information, and, in some cases, names of medical tests and diagnostic codes.
“Debt collectors, particularly those with consumers’ health information, have a duty to uphold the promise to keep consumers’ data safe from unauthorized access,” said Ford.
On June 3, 2019, AMCA began providing breach notices to more than 7 million affected people, which included an offer of two years of free credit monitoring. On June 17, 2019, as a result of the costs associated with providing notification and remedies for the breach, AMCA filed for bankruptcy.
The multistate coalition participated in the bankruptcy proceedings through the attorneys general of Indiana and Texas.
AMCA received permission from the bankruptcy court to settle with the multistate group, and on December 9, 2020, filed for dismissal of the bankruptcy.
As part of the settlement, AMCA may be liable for a suspended $21 million total payment to the states. Because of AMCA’s financial condition, the payment is suspended unless the company violates terms of the settlement agreement.
Under the the settlement, AMCA and its officials have agreed to carryout security practices to strengthen its information security program and safeguard the personal information of consumers.
In addition to Nevada, among the other states participating in the investigation are: Connecticut, Colorado, Hawaii, Idaho, Illinois, Indiana, Iowa, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, New Hampshire, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Tennessee, Vermont, Washington, and West Virginia.