LANSING, MI – Michigan along with several other states have reached a final settlement with American Medical Collection Agency (AMCA) for a 2019 data breach that exposed the personal information of more than 7 million individuals.
Attorney General Dana Nessel today announced that Michigan, as part of a coalition of 41 attorneys general, has reached a settlement agreement with Retrieval-Masters Creditors Bureau d/b/a American Medical Collection Agency (AMCA) to resolve a multistate investigation into the 2019 data breach that exposed the personal information of more than 7 million individuals, including 146,886 Michigan residents and potentially exposed the personal information of up to 21 million individuals throughout the United States.
Retrieval-Masters Creditors Bureau is a debt collection agency. Under the name of AMCA, the company specialized in small-balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from Aug. 1, 2018 through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information and, in some instances, names of medical tests and diagnostic codes.
On June 3, 2019, AMCA provided notice to many states and began providing notice to more than 7 million affected individuals that included an offer of two years of free credit monitoring. On June 17, 2019, as a result of the costs associated with providing notification and remediating the breach, AMCA filed for bankruptcy. In order to continue the investigation and take steps to ensure that the personal information of their residents was protected, the multistate coalition participated in all bankruptcy proceedings through the attorneys general of Indiana and Texas. The company ultimately received permission from the bankruptcy court to settle with the multistate, and on Dec. 9, 2020, filed for dismissal of the bankruptcy.
“This company failed to appropriately recognize and respond to warnings that the data it was storing had been compromised, jeopardizing the personal information of millions of people,” Nessel said. “In this technological age, our private data is valuable information, and it must be kept secure by those we entrust it to.”
There is no financial loss to date as a result of the data breach. Consumers whose information was compromised were offered two years of free credit monitoring by AMCA.
As part of the settlement, AMCA may be liable for a $21 million payment to the states. However, because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement.
Under the terms of the settlement, AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:
- Creating and implementing an information security program with detailed requirements, including an incident response plan;
- Employing a duly qualified chief information security officer;
- Hiring a third-party assessor to perform an information security assessment; and
- Cooperating with the attorneys general with investigations related to the data breach and maintaining evidence.
In addition, AMCA is prohibited from transferring, selling or using consumers’ personal information that it collected, except as required by law.
Joining Attorney General Nessel in this matter are the attorneys general of Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia.
Michigan’s settlement was filed in Ingham County Circuit Court.