American Medical Collection Agency reaches 40-state settlement for data breach that exposed 21 million patients' info

American Medical Collection Agency on March 11 reached a settlement with 40 states and Washington D.C., to settle a complaint following a 2019 cyberattack that exposed 21 million Americans' personal information, including Social Security numbers, diagnoses and credit card information.

The Elmsford, N.Y.-based company specializes in small-balance medical-debt collection and offers services mostly for laboratories and medical testing facilities. 

Between Aug. 1, 2018, and March 30, 2019, an unauthorized user gained access to AMCA's internal network and collected customers' personal information. According to documents from the bankruptcy court of New York's southern district, AMCA received various warnings from banks that processed its payments, but it failed to detect the breach.

On June 3, 2019, AMCA gave 40 states and Washington, D.C., notice of the cyberattack. The company also notified affected individuals and offered them two years of free credit monitoring.

On June 17, 2019, AMCA filed for bankruptcy because of costs associated with the data breach. The bankruptcy court later granted the company permission to settle with the 40 states and Washington, D.C., and AMCA filed for dismissal of the bankruptcy Dec. 9, 2020.

Under the March 11 agreement, AMCA agreed to implement certain data security practices, including deploying a detailed information security program with an incident response plan, cooperating with attorneys’ general ongoing investigations and maintaining evidence, and hiring a chief information security officer and a third-party information security assessor.

If it violates any of the data security practices above, AMCA may also be liable for a $21 million payment to the states.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Featured Whitepapers

Featured Webinars