For Immediate Release:
Thursday, March 11, 2021
Laura Brewer (919) 716-6484
(RALEIGH) Attorney General Stein today announced a multistate settlement with Retrieval-Masters Creditors bureau, doing business as the American Medical Collection Agency (AMCA), to resolve an investigation into a 2019 data breach that exposed the personal information of more than 7 million people, including 90,055 North Carolinians.
“When businesses fail to take the necessary precautions to safeguard people’s data, they make it easier for bad actors to steal North Carolinians’ information,” said Attorney General Josh Stein. “My office will take action when businesses unreasonably put North Carolinians at risk of identity theft and fraud.”
As AMCA, the debt collection agency specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from August 1, 2018, through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.
On June 3, 2019, AMCA provided notice to many states and began providing notice to more than 7 million affected people and included an offer of two years of free credit monitoring. On June 17, 2019, AMCA filed for bankruptcy as a result of the costs associated with providing notification and remediating the breach. In order to continue the investigation and take steps to ensure that the personal information of their residents was protected, the multistate coalition of 41 attorneys general, including Attorney General Stein, participated in all bankruptcy proceedings through the Attorneys General of Indiana and Texas. The company ultimately received permission from the bankruptcy court to settle with the states and filed for dismissal of the bankruptcy on December 9, 2020.
AMCA may be liable for a $21 million payment to the states. However, because of its financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement. Under the terms of the settlement, AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:
- Creating and implementing an information security program with detailed requirements, including an incident response plan.
- Employing a duly qualified Chief Information Security Officer.
- Hiring a third-party assessor to perform an information security assessment.
- Cooperating with the attorneys general with investigations related to the data breach and maintaining evidence.
Data breaches continue to compromise North Carolinians’ data – a record 1,644 breaches were reported to the North Carolina Department of Justice in 2020, affecting nearly 1.2 million North Carolinians. Nearly two-thirds of the breaches were caused by hacking or unauthorized access.
Attorney General Stein assisted in the investigation, along with the Attorneys General of Indiana, Texas, Connecticut, New York, Florida, Illinois, Maryland, Massachusetts, Michigan, and was joined by the Attorneys General of Tennessee, Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia.