Press Release  AG Healey Settles With Debt Collection Agency Over 2019 Data Breach That Impacted 21 Million Consumers Nationwide

BOSTON — Attorney General Maura Healey today announced a settlement with a medical debt collection agency to resolve a multistate investigation into a 2019 data breach that exposed the personal information of at least 7 million people in the United States, including 113,000 Massachusetts residents, and potentially exposed up to 21 million people nationwide. The compromised records included names, dates of birth, social security numbers, financial information, and medical information.

Today’s settlement was reached with a coalition of 41 attorneys general and Retrieval-Masters Creditors Bureau d/b/a American Medical Collection Agency (AMCA), a debt collection agency that engaged in nationwide debt collection on behalf of medical providers and testing labs. 

“This company failed to safeguard the personal and medical information of millions of residents across the country,” said AG Healey. “My office’s new Data Privacy and Security Division investigates cases like this to hold accountable companies that fail to put adequate security measures in place to protect consumers’ sensitive information.”

In June 2019, AMCA publicly disclosed that an unauthorized user gained access to AMCA’s internal system from August 1, 2018 through March 30, 2019. The unauthorized user was able to collect a wide variety of personal information, including social security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes. 

AMCA failed to detect the intrusion, despite warnings from banks that processed its payments that it may have been breached. A multistate investigation began, focused primarily on whether the company had reasonable procedures in place to safeguard protected personal information and health information. The investigation found that while AMCA publicly represented that it was compliant with all applicable laws, it failed to develop an adequate information security plan in compliance with Massachusetts law.

On June 3, 2019, when AMCA publicly disclosed the breach, the company also began providing notice to over 7 million affected individuals that included an offer of two years of free credit monitoring. On June 17, 2019, as a result of the costs associated with providing notification and remediating the breach, AMCA filed for bankruptcy. The multistate coalition participated throughout all bankruptcy proceedings through the attorneys general of Indiana and Texas. 

The multistate settlement, which has been approved by the bankruptcy court, assesses $21 million in penalties against AMCA to the states. Because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement. 

Other terms of the settlement require AMCA and its principals (and any future company owned or managed by AMCA’s principals), to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:

• Creating and implementing an information security program with detailed requirements, including an incident response plan;
• Employing a duly qualified Chief Information Security Officer;
• Hiring a Third-Party Assessor to perform an information security assessment; and
• Cooperating with the attorneys general with investigations related to the data breach and maintaining evidence.

In Massachusetts, this case was handled by Assistant Attorney General Jared Rinehimer of the AG’s Data Privacy and Security Division, which was created in August 2020 to better protect consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy. 

The attorneys general of Indiana, Texas, Connecticut, and New York led the investigation, assisted by the Massachusetts Attorney General’s Office and the attorneys general of Florida, Illinois, Maryland, Michigan, North Carolina, and Tennessee, and joined by the Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia.

###