Settlement holds American Medical Collection Agency accountable for 2019 data breach
A multistate investigation into the 2019 data breach that exposed the personal information of over 7 million people has resulted in a $21 million settlement.
An unauthorized user gained access to American Medical Collection Agency’s internal system from Aug. 1, 2018 through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments, allowing the unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.
On June 3, 2019 AMCA provided notice to many states and began providing notice to over 7 million affected individuals that included an offer of two years of free credit monitoring.
On June 17, 2019, as a result of the costs associated with providing notification and remediating the breach, AMCA filed for bankruptcy.
The multistate coalition leading the investigation participated in the bankruptcy proceedings, and the company ultimately received permission from the bankruptcy court to settle with the coalition, and on Dec. 9, 2020, filed for dismissal of the bankruptcy.
As part of the settlement, AMCA may be liable for a $21 million total payment to the states. Because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement.
“In today’s world, where almost everything is digital and online, securing consumers’ personal information must be a top priority for all businesses,” Virginia Attorney General Mark Herring said. “I remain committed to keeping Virginians’ personal data protected and holding any business who puts personal information at risk accountable for their actions.”
Under the terms of the settlement, AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.
- Creating and implementing an information security program with detailed requirements, including an incident response plan.
- Employing a duly qualified Chief Information Security Officer.
- Hiring a Third-Party Assessor to perform an information security assessment.
- Cooperating with the Attorneys General with investigations related to the data breach and maintaining evidence.