Getty Images
41 States Settle with AMCA Over 2019 Data Breach Affecting 21M Patients
A multistate coalition of 41 state attorneys general settled with AMCA, requiring the collections vendor to bolster its security program after its massive patient data breach in 2019.
The Retrieval-Masters Creditors Bureau, d/b/a American Medical Collection Agency reached a with 41 state attorneys general, which could lead to a $21 million fine, to resolve a multistate investigation into its massive healthcare data breach from 2019.
The multistate coalition involved the attorneys general from Washington, DC, New Jersey, New York, Ohio, Oregon, New Hampshire, Florida, Georgia, Hawaii, Idaho, Rhode Island, New Mexico, Arizona, Colorado, Kansas, Idaho, North Carolina, Minnesota, and Michigan, and 22 others.
The AMCA security incident was by far the largest healthcare data breach that year, impacting at least 21 million individuals across the country.
First disclosed in June 2019, a hacker gained access to the billing collections vendor for eight months between August 1, 2018 and March 30, 2019. The access provided the hacker with troves of billing and medical data from a range of AMCA clients.
The impacted clients involved Quest Diagnostics with 11.9 million patients, LabCorp with 7.7 million patients, Clinical Pathology Laboratories with 2.2 million patients, BioReference with 422,000 patients, and a host of others.
The compromised data varied by entity, but included patient names, demographic details, dates of birth, credit cards, balance information, bank accounts, contact details, provider names, and dates of service, among other sensitive data.
The breach notices spurred multiple investigations and patient-related lawsuits, and soon after, AMCA filed for Chapter 11 bankruptcy.
New York Attorney General Letitia James and other state attorneys general participated in the bankruptcy proceedings. At that time, AMCA was permitted to settle with the multistate coalition investigation into the company. The vendor filed to dismiss the bankruptcy on December 9.
“If companies are going to manage New Yorkers’ personal information, they must make every effort to protect that information,” James said in a statement. “But AMCA’s security failures resulted in 21 million Americans having their data illegally accessed.”
“Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again,” she added.
Under the settlement agreement, AMCA and related principals are required to implement and maintain several key data security practices that will bolster its information security program and ensure the security of its client data.
The required security practices include the implementation of an incident response plan and the instatement of a qualified chief information security officer to oversee AMCA’s data safety practices.
The program must contain administrative, technical, and physical safeguards appropriate to the size and complexity of the company, as well as the sensitivity of the personal information and protected health information collected, stored, transmitted and maintained by AMCA.
Further, the security program must limit the access of users’ access to that data to only the extent necessary for each employee to perform their job functions.
The CISO will be responsible for overseeing the program and will directly report to the CEO, including security risks, the program’s status, required resources needed for the security’s implementation, and any security implications of AMCA’s business decisions.
AMCA is also required to hire a third-party assessor to perform a security assessment and to cooperate with the attorneys general investigation -- which includes maintaining evidence. The assessment must occur annually and include an assessment of AMCA’s compliance with the settlement agreement.
Failure to meet these requirements may result in AMCA making a $21 million payment to the states. Given the financial condition of the company, the payment will be suspended if no violation occurs.
“With bad actors consistently looking for ways to target personally identifiable information, businesses must institute strict protocols to keep their customer’s confidential information safe,” said Georgia Attorney General Chris Carr, in a statement.
“Should a business fail to set good standards of conduct or ignore credible warnings about potential security breaches, we will hold them accountable on behalf of Georgia consumers," he added.