In 2019, the largest reported healthcare data breach was at American Medical Collection Agency (AMCA), a debt collection agency specializing in small debt collections for laboratories and medical testing companies. Hackers gained access to a web portal and were able to steal the protected health information of patients of its customers over many months. The PHI of at least 21 million Americans was compromised in the breach, including names, contact information, dates of birth, Social Security numbers, and credit card information. AMCA was alerted to the breach by banks via Common Point of Purchase notices. It was determined that the web portal was compromised between August 1, 2018 and March 30, 2019.
As is now common following large-scale data breaches, state Attorneys General combine their resources when conducting investigations. 41 state Attorneys Generals participated in the investigation, led by the State AGs for Indiana, Texas, Connecticut, and New York. A settlement has now been reached between the state AGs and AMCA that requires the debt collection agency to implement a range of cybersecurity measures to ensure sensitive data is safeguarded moving forward; however, the company will avoid a financial penalty provided it does not violate the terms of the settlement agreement.
AMCA faced huge costs following the breach and many lawsuits have been filed against the company over the theft of protected health information and AMCA filed for bankruptcy protection in June 2019. The state AGs for Indiana and Texas participated in the bankruptcy proceedings to ensure the investigation continued and protected health information was protected.
The settlement agreed with AMCA requires the company to hire a qualified Chief Information Security Officer (CISO) to oversee cybersecurity and compliance with the terms of the settlement. Those terms involve implementing data security practices appropriate to the size and complexity of the company, including administrative, technical, and physical safeguards. AMCA must develop and implement an incident response plan, limit user access to PHI to the minimum necessary amount for users to perform their job functions, and arrange for third-party cybersecurity assessments to be conducted annually.
If AMCA violates any of the terms of the settlement it will be liable for a $21 million financial penalty, which will be divided across the 41 states that participated in the investigation. The decision was made to suspend the financial penalty due to the financial position of the company.
“AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information,” said New York Attorney General Letitia James. “Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”
The Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia also participated in the investigation.