Nashville – Attorney General Herbert H. Slatery III announced that Tennessee, as part of a coalition of 41 Attorneys General, has reached an agreement with Retrieval-Masters Creditors Bureau, a debt collection agency doing business as from the American Medical Collection Agency (“AMCA”). The settlement resolves a multi-state investigation into the 2019 data breach that revealed the personal information of more than 7 million people, including 132,451 Tennesseans.
AMCA specializes in the collection of low-value medical debts mainly for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from August 1, 2018 to March 30, 2019. AMCA failed to detect the intrusion, despite warnings from the banks that processed its payments. The unauthorized user was able to collect social security numbers, payment card information, and in some cases, medical test names and diagnostic codes.
On June 3, 2019, the AMCA notified numerous states and began notifying over 7 million affected people, including a two-year offer of free credit monitoring. On June 17, 2019, due to the costs associated with notifying and remedying the violation, AMCA filed for bankruptcy. The multi-state coalition participated in all bankruptcy proceedings. The company eventually received bankruptcy court clearance to settle with the multi-state, and on December 9, 2020, filed for a nonsuit.
“Patients shouldn’t have to worry about disclosing their personal information – and especially sensitive medical information – through a breach of security,” General Slatery said. “Tennessee will continue to hold companies accountable for failing to implement appropriate safeguards or who drag their feet in the event of a violation. “
As part of the settlement, AMCA may be responsible for a total payment of $ 21 million to states. Due to AMCA’s financial condition, this payment is suspended unless the company violates certain terms of the settlement agreement which include the following data security practices:
- Create and implement an information security program with detailed requirements, including an incident response plan;
- Employing a suitably qualified information security officer;
- Hire a third party assessor to perform an information security assessment; and
- Cooperate with Attorneys General in investigating data breaches and preserving evidence.
To read the agreed final judgment, click here: https://www.tn.gov/content/dam/tn/attorneygeneral/documents/pr/2021/pr21-13-afj.pdf
The attorneys general of Indiana, Texas, Connecticut and New York conducted the investigation, assisted by the attorneys general of Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina and Tennessee, and joined by the Attorneys General of Arizona, Arkansas, Colorado, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska , Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington and West Virginia.
# 21-13: AG Slatery Announces Multi-State Settlement With U.S. Medical Collection Agency