Nashville- Attorney General Herbert H. Slatery III announced that Tennessee, as part of a coalition of 41 Attorneys General, has settled with Retrieval-Masters Creditors Bureau, a debt collection agency doing business as American Medical Collection Agency (“AMCA”). The settlement resolves a multistate investigation into the 2019 data breach that exposed the personal information of over 7 million individuals, including 132,451 Tennesseans.

AMCA specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from August 1, 2018 through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.

On June 3, 2019 AMCA provided notice to many states and began providing notice to over 7 million affected individuals that included an offer of two years of free credit monitoring. On June 17, 2019, as a result of the costs associated with providing notification and remediating the breach, AMCA filed for bankruptcy. The multistate coalition participated in all bankruptcy proceedings. The company ultimately received permission from the bankruptcy court to settle with the multistate, and on December 9, 2020, filed for dismissal of the bankruptcy.

“Patients should not have to worry about their personal information – and especially sensitive medical information- being exposed through a security breach,” said General Slatery. “Tennessee will continue to hold companies accountable that do not implement proper safeguards or drag their feet when a breach occurs.”

As part of the settlement, AMCA may be liable for a $21 million total payment to the states. Because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement which include the following data security practices:

• Creating and implementing an information security program with detailed requirements, including an incident response plan;
• Employing a duly qualified Chief Information Security Officer;
• Hiring a Third-Party Assessor to perform an information security assessment; and
• Cooperating with the Attorneys General with investigations related to the data breach and maintaining evidence.

To read the Agreed Final Judgment, click here: https://www.tn.gov/content/dam/tn/attorneygeneral/documents/pr/2021/pr21-13-afj.pdf

The Attorneys General of Indiana, Texas, Connecticut, and New York led the investigation, assisted by the Attorneys General of Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee, and joined by the Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia.

###

#21-13:  AG Slatery Announces Multistate Settlement with American Medical Collection Agency