In 2019, the American Medical Collection Agency discovered that it was the victim of a data breach. Not just any data breach, though; the breach was the largest healthcare breach reported in 2019. AMCA, which operates in multiple states, informed states of the breach in June of 2019. A subsequent investigation led by the Attorneys General of Indiana, Texas, Connecticut and New York, led to a multistate lawsuit filed by the Attorneys General of 41 states. Recently, the lawsuit was settled. Under the terms of the settlement agreement, AMCA faces a $21 million penalty. The details of the PHI breach are discussed below.
What Happened: Details of the AMCA PHI Breach
AMCA is a debt collector, providing small debt collection services to healthcare clients such as laboratories and medical testing facilities, serving as their business associate.
On August 1, 2018, a hacker gained access to AMCA’s billing collections information. This information included PHI consisting of names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The hacker continued to exfiltrate the PHI for eight months, through March 30 of 2019.
The PHI breach affected approximately 21 million patients. The clients affected by the PHI breach were Quest Diagnostics, with 11.9 million patients, LabCorp, with 7.7 million patients, Clinical Pathology Laboratories, with 2.2 million patients, BioReference with 422,000 patients, and a number of other providers.
When AMCA discovered the healthcare data breach in June of 2019, it began to notify states where the affected individuals reside. Affected individuals were offered complimentary credit monitoring services. The cost of remediating the breach led to AMCA’s filing for bankruptcy that same month.
The Settlement: States’ Attorneys General File Class Action Lawsuit
Subsequently, the Attorneys General of Indiana, Texas, Connecticut, and New York conducted an investigation of the healthcare data breach. The multistate investigation revealed that widespread information security deficiencies contributed to the cause of the breach. The investigation also found that AMCA had received warnings from banks that processed AMCA payments about fraudulent use of payment cards. Nonetheless, even after being told this, AMCA failed to detect the intrusion. The states then filed a multistate litigation against AMCA.
AMCA received court permission to settle the multistate action in 2020. By that time, a total of 41 state Attorneys General had joined the litigation against AMCA. Under the terms of the settlement, AMCA is required to create and implement an information security program, develop an incident response plan, employ a qualified chief information security officer (CISO), hire a third-party assessor to perform an information security assessment, and continue to assist state attorneys general with investigations into the healthcare data breach.
Under the terms of the settlement, AMCA must pay a $21 million penalty if it defaults on any terms of the settlement agreement.
Connecticut Attorney General William Tong, in a recent statement, made clear that states will hold businesses accountable for failure to safeguard protected health information. Noted Tong, “AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way. My office will continue to work to protect personal information even where the business that had the responsibility to do so cannot.”
New York Attorney General Letitia James echoed Tong’s sentiments, “AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information. The settlement agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”
