Governance & Risk Management , HIPAA/HITECH , Standards, Regulations & Compliance
Debt Collection Firm Reaches Breach Settlement With States
AMCA, Which Had Filed for Bankruptcy, Agrees to Bolster Its SecurityA coalition of 41 state attorneys general has reached a settlement with American Medical Collection Agency in the wake of a 2018 data breach that compromised the personal and health data of 21 million individuals and pushed the company to file for bankruptcy.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
Under the settlement, Elmsford, New York-based AMCA has agreed to implement data security practices, including developing and implementing an incident response plan, employing a CISO, and hiring a third-party assessor to perform an information security assessment.
As part of the agreement, AMCA may also be liable for a $21 million payment to the states if the company violates the injunctive terms of the agreement. Because of AMCA’s financial condition, however, the payment will be suspended if no violation occurs, the NY attorney general's statement notes.
"AGs are clearly responding to fears raised by citizens who are concerned about becoming victims of identity theft and fraud," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
Breach Discovery
In March 2019, the collection agency discovered a data breach that exposed Social Security numbers, payment card information and, in some instances, names of medical tests and diagnostic codes. LabCorp and Quest Diagnostics were among more than a dozen AMCA clients that reported significant health data breaches tied to the AMCA incident.
Court documents in the AMCA case indicate that the breach apparently occurred sometime during 2018.
AMCA first learned that the company might have a problem when it received a series of "Common Point of Purchase" notices suggesting that a disproportionate number of credit cards that at some time had shown up on AMCA’s web portal were later associated with fraudulent charges, court document say.
AMCA says it shut down its web portal to prevent any further compromises of customer data and engaged outside consultants who confirmed that AMCA’s servers had been hacked as early as August 2018.
Filed for Bankruptcy
Citing substantial costs associated with the breach fallout, AMCA filed for bankruptcy in June 2019 (see: AMCA Bankruptcy Filing in Wake of Breach Reveals Impact).
Once the company reached the settlement with the attorneys general, however, it filed for dismissal of the bankruptcy petition, AMCA says.
But the phone numbers and websites for AMCA and its parent company, Retrieval-Masters Creditors Bureau's appeared to not be functional on Friday.
Investigation Not Deterred by Bankruptcy
The AMCA case proves that regulators will continue to investigate data breaches even if the affected organization files for bankruptcy, says privacy attorney Iliana Peters of the law firm Polsinelli.
"I believe this approach makes sense, given that any particular entity that is restructuring in bankruptcy should consider data privacy and security as part of that effort, so that both investors and customers are protected post-bankruptcy," she says.
In a handful of other breach cases, regulators have reached settlements with entities in the midst of bankruptcy proceedings.
For instance, the Department of Health and Human Services' Office for Civil Rights in 2017 made arrangements to have a cyber insurer, Beazley Group, cover a $2.3 million HIPAA penalty on behalf of a bankrupt cancer care clinic chain, 21st Century Oncology, which had a 2015 data breach. The entity also separately agreed to false claims settlements totaling $26 million.
Systemic Failure
The scope and breadth of the AMCA corrective action reflects the findings of a systemic failure to implement a risk-based information security program, Holtzman says.
"The lack of fundamental policies and procedures to have safeguards in place to protect the financial and health information of consumers, combined with a failure to perform information security risk assessment or mitigate gaps that would have been discovered, left the information system open to attack," he says.
"While HIPAA does not create a private right to sue, courts increasingly look to it as the ‘standard of care’ covered entities must meet in data breach cases."
—Paul Hales, Hales Law Group
"These failures prevented this large, sprawling medical collection agency from discovering that access to the information system had been compromised," Holtzman says.
As a business associate, AMCA apparently did not take reasonable steps to respond to the information security incident, assess existing safeguards to determine if they were adequate to protect the data they were holding, or take measures to mitigate the harm from the cybersecurity incident, he contends.
Class-Action Lawsuit Pending
The states' settlement with AMCA will not hinder ongoing class-action civil suits filed against AMCA and some of its medical testing laboratory clients on behalf of individuals affected by the breach. Those cases have been consolidated for pretrial proceedings in the U.S. District Court for the District of New Jersey, notes regulatory attorney Paul Hales of the law firm Hales Law Group.
The consolidated civil suits are seeking to hold AMCA’s customers, which are large well-funded companies, liable to pay money damages resulting from AMCA’s data breaches, Hales says.
"While HIPAA does not create a private right to sue, courts increasingly look to it as the ‘standard of care’ covered entities must meet in data breach cases," he notes.