On March 11, 2021, American Medical Collection Agency (AMCA) settled with 40 states and the District of Columbia regarding its 2018/2019 data breach. AMCA specializes in collecting small-dollar medical debt. Between August 1, 2018, and March 30, 2019, a hacker compromised AMCA’s web payment page, exposing the personal information of at least 21 million individuals across the country.
AMCA first learned of the issue when it started receiving a disproportionate number of notices suggesting credit cards that had interacted with AMCA’s web portal were later associated with fraudulent activity. Outside consultants ultimately confirmed the breach, and in June 2019, AMCA reported the breach to 40 states and the District of Columbia.
As a direct result of the data breach, AMCA suffered a severe drop in business and filed for Chapter 11 Bankruptcy protection. AMCA received permission from the bankruptcy court to settle with the multi-state coalition and, on December 9, 2020, filed for dismissal of the bankruptcy action.
Per the terms of the settlement agreement, the 21-million-dollar payment to the states will be deferred so long as AMCA complies with the other terms of the settlement agreement. Included among these requirements, AMCA must create and implement an information security program, employ a chief information security officer, hire a third-party assessor to perform a security assessment, and cooperate with attorneys general from the 40 states which are part of the settlement and District of Columbia.
As insideARM previously mentioned, this is a sobering story. AMCA's well-intentioned decision to provide consumers a web portal for payment ultimately led to a significant data breach harming both consumers and AMCA. This is a stark reminder that technology platforms cannot be updated or added in a vacuum. Any entity handling consumer data needs to take appropriate steps to assess new technology's vulnerability before implementation.