Medical data collection has hopefully become a little safer. On March 11, 2021, the Retrieval-Masters Creditors Bureau (doing business as “American Medical Collection Agency” or “AMCA”) entered into a nationwide settlement with attorneys general of 40 states and Washington D.C. concerning a data breach that potentially exposed the personal information of nearly 21 million people. The breach, which occurred when an unauthorized user accessed AMCA’s system in 2018, lasted nearly a year until states were put on notice of the digital intrusion. The settlement agreement’s terms mandate AMCA’s compliance with all applicable state and federal laws concerning privacy. If the company fails to do, it can be found liable for upward of $21 million in payments to the states.
The Data Breach Allegations
American Medical Collection Agency is a debt collection corporation based in Elmsford, New York that contracts with medical providers, hospitals, and laboratories to collect unpaid debt from patients. The company specializes in small debt amounts and has held contracts with national laboratories such as Quest Diagnostics, LabCorp, and BioReference.
On August 1, 2018, an unauthorized user gained access to AMCA’s internal data system and collected swathes of personal information on its customers. This data included Social Security numbers, financial information, and personal health information, such as medical tests and diagnostic codes. The unauthorized user maintained access to the system—and the personal information of nearly 21 million individuals—through March 30, 2019. On or about June 6, 2019, AMCA began mailing notices of a data breach to over seven million consumers, offering them credit monitoring for two years. Quest Diagnostics was the first customer to be alerted, with the hack exposing the personal medical data of 11.9 million of its patients. LabCorp was also significantly affected with 7.7 million patients exposed. An additional 21 medical companies were also impacted by the breach.
By June 17, 2019, AMCA filed for Chapter 11 bankruptcy in the Southern District of New York. In its bankruptcy filings, Russell Fuchs, the CEO of Retrieval-Masters Creditors Bureau, wrote that the company had incurred “enormous expenses that were beyond the ability of the debtor to bear,” noting that he had lent AMCA $2.5 million of the $3.8 million spent to mail the seven million notices. AMCA’s biggest clients ceased all business with the company, furthering the need for the bankruptcy petition.
Taking Legal Action
A flurry of class action lawsuits was filed throughout the country, alleging negligence, breach of contract, and a variety of state law violations concerning business practices and data security. Data security researchers had found that 200,000 payment card numbers of patients were for sale on a darknet marketplace, and by AMCA’s own admission in its bankruptcy filing, discovered that a large number of patients’ credit cards were connected to fraudulent charges. The data breach sparked the interest of state regulators and members of Congress, with state attorneys general quickly beginning their own investigations.
The Settlement’s Terms
The nationwide investigation with Attorneys General of New York, Connecticut, Texas, and Indiana leading the charge, had reached a potential resolution of its claims by way of a multistate settlement involving 40 states and Washington D.C. On March 19, 2020, AMCA filed a motion to dismiss the bankruptcy proceeding in lieu of the structured settlement, which was subsequently granted and the notice of the proposed settlement terms was approved.
As part of the settlement terms in People of the State of New York v. Retrieval Masters d/b/a AMCA, as well as other jurisdictions, the settlement mandates AMCA’s compliance with all consumer protection acts, personal information protection acts, and HIPAA privacy and security rules in its handling of personal information and protected health information. AMCA has agreed to implement and maintain certain data security measurements to strengthen its system and protect the personal information of the patients.
To the extent that AMCA or its principals currently or in the future, manage or oversee personal information and protected health information, they must develop and implement a written information security program within 60 days that is “reasonably designed to protect the security, integrity, and confidentiality” of the information that they “collect, store, transmit, and/or maintain.” At a minimum, the program must be in writing, tailored to the safeguards appropriate for the business’s size and complexity as well as the sensitivity of the collected information. Users of the program shall only have access to personal information to the extent necessary to perform their jobs. The program also requires the employment of a Chief Information Security Officer, whose primary responsibility would be to implement, maintain, and monitor the program, as well as provide any security updates to the CEO of AMCA, including a quarterly report. Lastly, the program must include a written incident response plan in order to prepare for any future security events.
For the next seven years, AMCA must obtain an annual assessment of its data security program from a third-party assessor who is tasked with documenting AMCA’s compliance as well as their response to any security events. This report will be provided to the Connecticut Attorney General who may provide it to any of the participating states. Although a monetary judgment was entered against AMCA ($1,695,612.52 in the New York filing), collection of the civil penalty is suspended subject to AMCA’s compliance with the settlement terms.
The agreement has been lauded by the attorneys general as a “cautionary tale,” which will hopefully encourage other data collection companies to strengthen their security.