Earlier this month, insideARM wrote about a data breach that occurred at American Medical Collection Agency (AMCA), a healthcare debt collection agency, when its web payment page was compromised. Yesterday, AMCA filed for Chapter 11 bankruptcy (using its business name of Retrieval-Masters Creditors Bureau, Inc.).
Editor’s Note: Chapter 11 bankruptcy involves the reorganization of a business’s debts so that the business can continue, compared to Chapter 7 bankruptcy, which involves liquidation of the business's assets to pay creditors.
Russell Fuchs, AMCA’s founder and CEO, filed a declaration in support of the bankruptcy where he outlined the series of events that led to the data breach and the fall-out from the incident. Fuchs discusses the history of the agency and how, over time, demand grew for web-based interaction with patients, such as the web payment page. The data breach was the first in the company’s 40-year history. The declaration states:
[AMCA] first learned that there might be a problem when it received a series of “CPP notices” that suggested that a disproportionate number of credit cards that at some point had interacted with [AMCA]'s web portal were later associated with fraudulent charges. In response, [AMCA] shut down its web portal to prevent any further compromises of customer data, and engaged outside consultants who were able to confirm that, in fact, [AMCA]'s servers (but not [AMCA]'s residual mainframe) had been hacked as early as August, 2018. This knowledge led to the following cascade of events that ultimately has resulted in [AMCA]'s need to seek relief under [C]hapter 11 of the Bankruptcy Code in this Court.
Fuchs explains that the data breach led to a severe drop in its business. LabCorp almost immediately terminated its relationship with AMCA while Quest Diagnostics, Conduent, and CareCentrix (who, along with LabCorp, made up AMCA's four largest clients) terminated or “substantially curtailed” their involvement with AMCA.
In all, the data breach and its fall-out caused this business, which was previously adequately capitalized, to no longer be able to bear its expenses. Thus, it moved for Chapter 11 Bankruptcy.
As insideARM previously mentioned, this is a sobering story. Fuchs’ declaration should be necessary reading for all executives and compliance, legal, and IT professionals in our industry. It outlines in detail how the demand for innovation led to the worst case scenario and resulted in a compromise of consumer data, the loss of a business’s major clients, and employee layoffs. With the sensitive nature of consumer data held by collection agencies, the balancing act between innovation and security is vital.