AG Racine Announces Settlement with American Medical Collection Agency Over 2019 Data Breach Affecting 12,530 District Residents

Company Will Safeguard Personal Consumer Information as Part of Agreement with 41 Attorneys General

WASHINGTON, D.C. – Attorney General Karl A. Racine today announced a settlement with American Medical Collection Agency (“AMCA”) resolving a multistate investigation into a 2019 data breach that exposed the personal information of up to 21 million individuals, including 12,530 District residents. A coalition of 41 attorneys general negotiated the settlement, under which AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. If AMCA violates certain terms of the agreement, it will be required to pay $21 million to the states.

“In this digital world, all companies have a responsibility to protect the sensitive information that consumers provide them through electronic transactions,” said AG Racine. “AMCA received warnings that its system had been compromised yet it neglected to act. With this settlement, state attorneys general are holding the company accountable and giving AMCA consumers greater peace of mind that their data will be kept safe.”

AMCA is part of the Retrieval-Masters Creditors Bureau, a debt collection agency. Under the AMCA name, the company specialized in medical debt collection for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from August 1, 2018 through March 30, 2019. AMCA failed to detect the intrusion despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes. 

On June 3, 2019 AMCA provided notice of the data breach to many states and began providing notice to more than 7 million affected individuals. That notice included an offer of two years of free credit monitoring. On June 17, 2019, because of the costs associated with addressing the breach, AMCA filed for bankruptcy. To continue the investigation and take steps to ensure that the personal information of their residents was protected, the multistate coalition participated in all bankruptcy proceedings. The company ultimately received permission from the bankruptcy court to settle with the coalition, and on December 9, 2020, filed for dismissal of the bankruptcy. 

As part of the settlement, AMCA has agreed to create and implement an information security program, including the adoption of an incident response plan, use a third-party to perform information security assessments, continue cooperating with the attorneys general with investigations related to the data breach, and employ a qualified chief information security officer. If ACMA fails to cooperate with the attorneys general investigation or misrepresents its assets, it will be required to pay $21 million to the states.

A copy of the complaint is available at: https://oag.dc.gov/sites/default/files/2021-03/AMCA-complaint.pdf

A copy of the agreement is available at: https://oag.dc.gov/sites/default/files/2021-04/Agreed-Final-Judgment.pdf

The attorneys general of Indiana, Texas, Connecticut, and New York led the investigation, assisted by the attorneys general of Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee. AG Racine joined the multistate coalition, along with the attorneys general of Arizona, Arkansas, Colorado, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia.

How to Report Unfair Business Practices
To report scams, fraud, or unfair business practices, contact OAG’s Office of Consumer Protection by:

Protecting Your Personal Information
For information about steps you can take to protect your own sensitive and private information, visit OAG’s Consumer Protection Library. Learn more about how to protect yourself online here.