Multistate HIPAA settlement reached with debt collection company

A coalition of 40 states and the District of Columbia have entered into an agreement with Retrieval-Masters Creditors Bureau, doing business as American Medical Collection Agency (“AMCA”), to resolve the multistate investigation, led by the attorneys general of Connecticut, Indiana, New York, and Texas, into a data breach that occurred in 2018-2019.

 

Retrieval Masters/AMCA is a New York corporation that provides small debt collection services to laboratories and medical testing facilities throughout the US.  The company disclosed in June 2019 that between August 2018 and March 2019, an unauthorized user had penetrated its computer systems and potentially gained access to the personal information of nearly 21 million individuals (including such information as social security numbers, payment card information, and medical test and diagnostic information).  According to the findings, banks processing payments for AMCA noticed suspicious transactions and warned AMCE, but the intrusion went undetected for months.  AMCA finally began providing notice to regulatory authorities, law enforcement, and consumers in June 2019.  Soon thereafter, the company declared bankruptcy (the court later dismissed the Chapter 11 case and authorized the company to make distributions to its creditors).

 

The settlement provides for monetary and injunctive relief (though the monetary penalties are suspended pending AMCA’s compliance with the injunctions).  The injunctive provisions include: 

  • Continued cooperation with the states' investigations and compliance with applicable laws and regulations (to include ensuring the AMCA’s public-facing statements make no misrepresentations with respect to AMCA’s data security practices);
  • Development, implementation, maintenance and documentation of a written information security program, which must include a written incident response;
  • Employment of a chief information security officer;
  • Engagement of an independent third-party assessor to prepare and submit, within 120 days of the settlement and every year thereafter for 7 years, a report assessing AMCA’s compliance with the settlement. 

NY agreement | Texas agreement 

You are currently offline.