On March 11, the American Medical Collection Agency reached an agreement with 40 states and Washington DC, to settle a complaint following a 2019 cyberattack that exposed the personal information of 21 million Americans, including phone numbers. social security, diagnostics and credit card information.
The Elmsford, New York-based company specializes in low-value medical debt collection and provides services primarily to laboratories and medical testing facilities.
Between August 1, 2018 and March 30, 2019, an unauthorized user gained access to AMCA’s internal network and collected personal information from customers. According to documents from the New York Southern District Bankruptcy Court, the AMCA received various warnings from the banks that processed its payments, but failed to detect the violation.
On June 3, 2019, the AMCA notified 40 states and Washington, DC of the cyberattack. The company also informed those affected and offered them two years of free credit monitoring.
On June 17, 2019, AMCA filed for bankruptcy due to the costs associated with the data breach. The bankruptcy court subsequently granted the company permission to settle with all 40 states and Washington, DC, and the AMCA filed a non-suit on December 9, 2020.
Under the March 11 agreement, the AMCA agreed to implement certain data security practices, including the deployment of a detailed information security program with an incident response plan, cooperation with ongoing general investigations of prosecutors and preservation of evidence, and hiring of an information security officer and third party. party information security assessor.
If it violates any of the above data security practices, AMCA may also be liable for a payment of $ 21 million to states.