Medical data collection has hopefully become a little safer. On March 11, 2021, the Retrieval-Masters Creditors Bureau (doing business as “American Medical Collection Agency” or “AMCA”) entered into a nationwide settlement with attorneys general of 40 states and Washington D.C. The settlement centered around a data breach that potentially exposed the personal information of nearly 21 million people. The breach occurred when an unauthorized user accessed AMCA’s system in 2018. It lasted nearly a year until states were put on notice of the digital intrusion. The settlement agreement’s terms mandate AMCA’s compliance with all applicable state and federal laws concerning privacy. If the company fails to do, it can be found liable for upward of $21 million in payments.
The Data Breach Allegations
American Medical Collection Agency is a debt collection corporation based in Elmsford, New York. The corporation has contracts with medical providers, hospitals, and laboratories to collect unpaid debt from patients. It specializes in small debt amounts and has held contracts with national laboratories such as Quest Diagnostics, LabCorp, and BioReference.
On August 1, 2018, an unauthorized user accessed AMCA’s internal data system and collected swathes of customers’ personal information. This data included Social Security numbers, financial information, and personal health information, such as medical tests and diagnostic codes. Then, the unauthorized user maintained access to the system—and the personal information of nearly 21 million individuals—through March 30, 2019. In early June 2019, AMCA began mailing notices of a data breach to over seven million consumers. Because of the breach, AMCA offered them credit monitoring for two years. Quest Diagnostics was the first customer to be alerted. The hack exposed the personal medical data of 11.9 million of its patients. The data breach also affected LabCorp with 7.7 million patients exposed. Furthermore, the breach impacted an additional 21 medical companies.
American Medical Collection Agency’s Bankruptcy
By June 17, 2019, AMCA filed for Chapter 11 bankruptcy in the Southern District of New York. In its bankruptcy filings, Russell Fuchs, the CEO of Retrieval-Masters Creditors Bureau, wrote that the company had incurred “enormous expenses that were beyond the ability of the debtor to bear,” noting that he had lent AMCA $2.5 million of the $3.8 million spent to mail the seven million notices. Furthermore, AMCA’s biggest clients ceased all business with the company, furthering the need for the bankruptcy petition.
Taking Legal Action
Throughout the country, people filed a flurry of class action lawsuits. The lawsuits alleged negligence, breach of contract, and a variety of state law violations concerning business practices and data security. Data security researchers had found that 200,000 payment card numbers of patients were for sale on a darknet marketplace. Through American Medical Collection Agency’s admission in its bankruptcy filing, researchers discovered fraudulent charges connected to a large number of patients’ credit cards. The data breach sparked the interest of state regulators and members of Congress. State attorneys general quickly began their own investigations.
The Settlement’s Terms
Attorneys General of New York, Connecticut, Texas, and Indiana led the nationwide investigation. They reached a potential resolution of its claims with a multistate settlement involving 40 states and Washington D.C. On March 19, 2020, AMCA filed a motion to dismiss the bankruptcy proceeding in lieu of the structured settlement. The court granted the motion and approved the notice of the proposed settlement terms.
As part of the settlement terms in People of the State of New York v. Retrieval Masters d/b/a AMCA, as well as other jurisdictions, the settlement mandates AMCA’s compliance with all consumer protection acts, personal information protection acts, and HIPAA privacy and security rules in its handling of personal information and protected health information. AMCA has agreed to implement and maintain certain data security measurements to strengthen its system and protect the personal information of the patients.
Future of AMCA
While AMCA or its principals, currently or in the future, manage personal information and protected health information, they must develop and implement a written information security program within 60 days that is “reasonably designed to protect the security, integrity, and confidentiality” of the information that they “collect, store, transmit, and/or maintain.” At a minimum, the program must be in writing and tailor to the safeguards appropriate for the business’s size and complexity. The program must also adjust to the sensitivity of the collected information. Users of the program shall only have access to personal information to the extent necessary to perform their jobs.
The program also requires the employment of a Chief Information Security Officer. The position’s primary responsibility would be to implement, maintain, and monitor the program. The officer will also provide any security updates to the CEO of AMCA, including a quarterly report. Lastly, the program must include a written incident response plan in order to prepare for any future security events.
For the next seven years, AMCA must obtain an annual assessment of its data security program from a third-party assessor. The assessor will document AMCA’s compliance as well as their response to any security events. The Connecticut Attorney General will receive this report and may provide it to any of the participating states. Although a monetary judgment was entered against AMCA ($1,695,612.52 in the New York filing), collection of the civil penalty is suspended subject to AMCA’s compliance with the settlement terms.
The attorneys general have lauded the agreement, calling it a “cautionary tale.” Hopefully, this will encourage other data collection companies to strengthen their security.
