Settlement Reached Over Data Breach Impacting 24 Million Americans

Written by

A multi-state settlement has been reached over a 2019 data breach that may have exposed the personal information of up to 25 million Americans. 

The breach took place from August 1, 2018, through March 30, 2019, when an unauthorized user gained access to the internal computer system of the American Medical Collection Agency (AMCA) by hacking into a web payment portal.

Once inside the system, the user was able to access a variety of sensitive data that included Social Security numbers, payment card information, and the results of medical tests. 

On June 3, 2019, AMCA issued a security notice regarding the breach. The company contacted impacted customers, offering them two years of complimentary credit monitoring. 

It later transpired that at least 23 different healthcare organizations had been impacted by the AMCA breach.

After paying costs associated with the breach notification and remediation, AMCA filed for bankruptcy on June 17, 2019. The company later received permission from the bankruptcy court to settle with the multi-state coalition and on December 9, 2020, filed for dismissal of the bankruptcy.

Under the terms of the settlement, Retrieval-Masters Creditors Bureau, doing business as AMCA, may be liable for a $21m total payment to the states. However, the payment has been suspended in light of AMCA's financial struggles and will only be activated if the company violates certain terms of the settlement agreement.

As part of the settlement AMCA must implement various data security practices to protect consumers from future cyber-attacks. These include employing a chief information security officer, hiring a third-party assessor to perform an information security assessment, and creating and implementing an information security program with detailed requirements, including an incident response plan.

The settlement was reached between AMCA and the attorneys general of Arizona, Arkansas, Colorado, the District of Columbia, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia.

What’s hot on Infosecurity Magazine?