In 2019, the American Medical Collection Agency discovered that it was the victim of a data breach. Not just any data breach, though; the breach was the largest healthcare breach reported in 2019. AMCA, which operates in multiple states, informed states of the breach in June of 2019. A subsequent investigation led by the Attorneys General of Indiana, Texas, Connecticut and New York, led to a multistate lawsuit filed by the Attorneys General of 41 states. Recently, the lawsuit was settled. Under the terms of the settlement agreement, AMCA faces a $21 million penalty. The details of the PHI breach are discussed below.

What Happened: Details of the AMCA PHI Breach

AMCA is a debt collector, providing small debt collection services to healthcare clients such as laboratories and medical testing facilities, serving as their business associate.

AMCA PHI Breach

On August 1, 2018, a hacker gained access to AMCA’s billing collections information. This information included PHI consisting of names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The hacker continued to exfiltrate the PHI for eight months, through March 30 of 2019.

The PHI breach affected approximately 21 million patients. The clients affected by the PHI breach were Quest Diagnostics, with 11.9 million patients, LabCorp, with 7.7 million patients, Clinical Pathology Laboratories, with 2.2 million patients, BioReference with 422,000 patients, and a number of other providers.

When AMCA discovered the healthcare data breach in June of 2019, it began to notify states where the affected individuals reside. Affected individuals were offered complimentary credit monitoring services. The cost of remediating the breach led to AMCA’s filing for bankruptcy that same month.

Let’s Simplify Compliance

HIPAA compliance and cybersecurity go hand-in-hand. Avoid breaches and fines by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

The Settlement: States’ Attorneys General File Class Action Lawsuit

Subsequently, the Attorneys General of Indiana, Texas, Connecticut, and New York conducted an investigation of the healthcare data breach. The multistate investigation revealed that widespread information security deficiencies contributed to the cause of the breach. The investigation also found that AMCA had received warnings from banks that processed AMCA payments about fraudulent use of payment cards. Nonetheless, even after being told this, AMCA failed to detect the intrusion. The states then filed a multistate litigation against AMCA.

AMCA received court permission to settle the multistate action in 2020. By that time, a total of 41 state Attorneys General had joined the litigation against AMCA. Under the terms of the settlement, AMCA is required to create and implement an information security program, develop an incident response plan, employ a qualified chief information security officer (CISO), hire a third-party assessor to perform an information security assessment, and continue to assist state attorneys general with investigations into the healthcare data breach.

Under the terms of the settlement, AMCA must pay a $21 million penalty if it defaults on any terms of the settlement agreement. 

Connecticut Attorney General William Tong, in a recent statement, made clear that states will hold businesses accountable