After 42 years in business, the parent company of American Medical Collections Agency (AMCA) has sought Chapter 11 protection and has filed for bankruptcy.
On Monday, Retrieval-Masters Credit Bureau (RMCB) sought court approval to transition into Chapter 11 and is attempting to liquidate its assets to cover the growing costs of the data breach.
The breach was discovered in March 2019 after notification was received from a security company that data held by AMCA had been stolen and was being offered for sale on hacking forums. The company also received several Common Point of Purchase notices from financial institutions which indicated credit card information had been stolen and used to make fraudulent purchases.
AMCA took prompt action to address the breach and closed down its payment portal. The investigation revealed the portal was first breached in August 2018 and more than 20 million records had potentially been compromised. The majority of those records belonged to the medical test laboratory chain Quest Diagnostics. Almost 12 million individuals who underwent testing through Quest Diagnostics had their data exposed. Two other laboratory chains were affected. 7.7 million customers of LabCorp and 423,000 customers of BioReference Laboratories also had their data exposed.
Hackers gained access to a web payment page for a period of around 7 months and had access to credit card information, Social Security numbers, and other sensitive data.
When companies started to be notified of the breach at AMCA, most stopped sending data to the collections agency and LabCorp terminated its association with the company immediately. According to the filing, four of the company’s largest clients either stopped sending data or terminated their relationship. That had a major impact on earnings.
The company has already spent around $400,000 on IT support and security consultants and more than $3.8 million has been spent on breach notifications to more than 7 million individuals. The breach investigation is ongoing and the breach costs are continuing to mount. The company was left with no alternative other than filing for bankruptcy.
The company did not have the funds to cover the costs of the breach response. Russell Fuchs, RMCB’s owner and CEO, loaned the company $2.5 million to help cover the cost. The company has also reduced staff numbers from 113 to 25.
In addition to managing the breach response, the company has been inundated with requests and demands from government agencies seeking answers about the breach and more than a dozen class action lawsuits have been filed.
AMCA will also have to deal with an OCR investigation and could face HIPAA fines from OCR and state attorneys general over the breach. OCR has previously taken action against companies that are no longer in business or have gone bankrupt such as Filefax in 2018 and 21st Century Oncology in 2017. The former was fined $100,000 by OCR and the latter had to pay a financial penalty of $2.3 million.