March 11, 2021
Carson City, NV – Today, Nevada
Attorney General Aaron D. Ford announced that Nevada, as part of a coalition of
41 Attorneys General, has settled with Retrieval-Masters Creditors Bureau d/b/a
American Medical Collection Agency (AMCA), resolving a multistate investigation
into a 2019 data breach that exposed the personal information of more than 7
million individuals, including 345,447 Nevadans, and potentially exposed the
personal information of up to 21 million individuals throughout the United
States.
AMCA
specialized in small-balance medical debt collection primarily for laboratories
and medical testing facilities. An unauthorized user gained access to AMCA’s
internal system from August 1, 2018 through March 30, 2019. AMCA failed to
detect the intrusion, despite warnings from banks that processed its payments.
The unauthorized user was able to collect a wide variety of personal
information, including Social Security numbers, payment card information, and,
in some instances, names of medical tests and diagnostic codes.
“Debt
collectors, particularly those with consumers’ health information, have a duty
to uphold the promise to keep consumers’ data safe from unauthorized access,” said AG Ford. “My office will continue
to make sure that those who have access to Nevadans’ personal and financial
information maintain the security standards necessary to keep that data from being
exposed.”
On
June 3, 2019, AMCA began providing notice of the breach to more than 7 million
affected individuals, which included an offer of two years of free credit
monitoring. On June 17, 2019, as a result of the costs associated with
providing notification and remediating the breach, AMCA filed for bankruptcy.
In order to continue the investigation and take steps to ensure that the
personal information of their residents was protected, the multistate coalition
participated in all bankruptcy proceedings through the Attorneys General of
Indiana and Texas. The company ultimately received permission from the
bankruptcy court to settle with the multistate, and on December 9, 2020, filed
for dismissal of the bankruptcy.
As
part of the settlement, AMCA may be liable for a suspended $21 million total
payment to the states. Because of AMCA’s
financial condition, the payment is suspended unless the company violates
certain terms of the settlement agreement.
Importantly,
under the terms of the settlement, AMCA and its principals have agreed to
implement and maintain a series of data security practices designed to
strengthen its information security program and safeguard the personal
information of consumers. These include:
Creating and
implementing an information security program with detailed requirements,
including an incident response plan;
Employing a duly
qualified Chief Information Security Officer;
Hiring a Third-Party
Assessor to perform an information security assessment; and
Cooperating with the
Attorneys General with investigations related to the data breach and
maintaining evidence.
In addition to Nevada, other
states participating in the coalition includes: Arizona, Arkansas, Connecticut,
Colorado, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois,
Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts,
Michigan, Minnesota, Missouri, Nebraska, New Hampshire, New Jersey, New Mexico,
New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island,
South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West
Virginia.
The filing is attached.
###