DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Multi-state settlement in 2019 American Medical Collection Agency breach

Posted on March 11, 2021 by Dissent

New York Attorney General Letitia James today announced an agreement between a bipartisan coalition of 41 attorneys general from around the nation and the Westchester County debt collection agency Retrieval-Masters Creditors Bureau, d/b/a American Medical Collection Agency (AMCA), that resolves a multistate investigation into the company’s 2019 data breach. The breach exposed the personal information — including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes — of up to 21 million individuals, including 582,146 New Yorkers. AMCA is based in Elmsford, New York and specializes in small-balance medical-debt collection, primarily for laboratories and medical testing facilities.

“If companies are going to manage New Yorkers’ personal information, they must make every effort to protect that information,” said Attorney General James. “But AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information. Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”

Between August 1, 2018 and March 30, 2019, an unauthorized user gained access to AMCA’s internal system and was able to collect a wide variety of customers’ personal information. Despite numerous warnings from banks that processed its payments about a potential breach, AMCA failed to detect the intrusion.

On June 3, 2019, AMCA provided notice to the states, including New York — which immediately opened an investigation. The company also simultaneously began providing notice to affected individuals. To help manage the harm from the exposure of personal information, AMCA offered affected individuals two years of free credit monitoring.

On June 17, 2019 — as a result of the costs associated with providing notification and remediating the breach — AMCA filed for bankruptcy. In order to continue the investigation and take steps to ensure that the personal information of their residents was protected, Attorney General James and other members of the multistate coalition participated in the bankruptcy proceedings. The company ultimately received permission from the bankruptcy court to settle with the multistate coalition, and, on December 9, 2020, the company filed for dismissal of the bankruptcy.

Under the terms of today’s agreement, AMCA and its principals have agreed to implement and maintain a number of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:

  • Creating and implementing an information security program with detailed requirements, including an incident response plan;
  • Employing a duly qualified chief information security officer to oversee data safety practices at the company;
  • Hiring a third-party assessor to perform an information security assessment; and
  • Cooperating with the attorneys’ general investigation and maintaining evidence.

As part of the agreement, AMCA may also be liable for a $21 million payment to the states if the company violates the injunctive terms of the agreement. Because of AMCA’s financial condition, the payment will be suspended if no violation occurs.

Joining Attorney General James in co-leading this investigation were the attorneys general of Connecticut, Indiana, and Texas. They were joined by the attorneys general of Arizona, Arkansas, Colorado, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.

This matter was handled for New York by Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.

Source: NYS Attorney General James


Related:

  • IVF provider Genea notifies patients about the cyberattack earlier this year.
  • Clorox Files $380M Suit Alleging Cognizant Gave Hackers Passwords in Catastrophic 2023 Cyberattack
  • Cyberattacks Paralyze Major Russian Restaurant Chains
  • France Travail: At least 340,000 job seekers victims of new hack
  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Two more entities have folded after ransomware attacks
Category: Business SectorHackHealth DataU.S.

Post navigation

← Lot-et-Garonne firefighters victims of a cyber attack
TR: Adim Adim hacked →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.