Attorney General Tong Announces Multi-State Settlement With U.S. Medical Collection Agency Over 2019 Data Breach
(Hartford, CT) – Attorney General William Tong today announced that Connecticut, as part of a coalition of 41 Attorneys General, has settled with Retrieval-Masters Creditors Bureau d / b / a American Medical Collection Agency (“AMCA”) resolving a 2019 multi-state data breach investigation that exposed the personal information of more than 7 million people, including 100,266 Connecticut residents and potentially exposed the personal information of up to 21 million people in the United States.
Retrieval-Masters Creditors Bureau is a debt collection agency. Under the name of the American Medical Collection Agency, or AMCA, the company specializes in the collection of low-value medical debts, primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from August 1, 2018 to March 30, 2019. AMCA failed to detect the intrusion, despite warnings from the banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including social security numbers, payment card information, and in some cases, names of medical tests and diagnostic codes.
On June 3, 2019, the AMCA notified numerous states and began notifying over 7 million affected people, including a two-year offer of free credit monitoring. On June 17, 2019, due to the costs associated with notifying and remedying the violation, AMCA filed for bankruptcy. In order to continue the investigation and take steps to ensure the protection of the personal information of their residents, the multi-state coalition participated in all bankruptcy proceedings through the attorneys general of Indiana and Texas. The company eventually received bankruptcy court clearance to settle with the multi-state, and on December 9, 2020, filed for a nonsuit.
“AMCA is a caveat: When a business does not invest adequately in information security, the costs associated with a data breach can lead to bankruptcy, destroying the business and putting those affected. in danger. My office will continue to work to protect personal information even when the company that was responsible for doing so cannot ”, said Attorney General Tong.
As part of the settlement, AMCA may be responsible for a total payment of $ 21 million to states. Due to AMCA’s financial condition, this payment is suspended unless the company violates certain terms of the settlement agreement.
Under the settlement, AMCA and its officers agreed to implement and maintain a series of data security practices designed to strengthen its information security program and protect consumers’ personal information. These include:
- Create and implement an information security program with detailed requirements, including an incident response plan;
- Employing a suitably qualified information security officer;
- Hire a third party assessor to perform an information security assessment; and
- Cooperate with Attorneys General in investigating data breaches and preserving evidence.
The attorneys general of Indiana, Texas, Connecticut and New York conducted the investigation, assisted by the attorneys general of Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina and Tennessee, and joined by the Attorneys General of Arizona, Arkansas, Colorado, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska , Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington and West Virginia.
Deputy Attorneys General John Neumon, Áine DeMeo and Michele Lucan, Deputy Assistant Attorney General / Head of the Privacy Section, assisted the Attorney General in this case.
- Twitter: @AGWilliamTong
- Facebook: Attorney General of CT