A settlement has been reached by the state of Tennessee with a collection agency that suffered a data breach in 2019 that revealed the personal information of more than 132,000 Tennessees, according to a press release issued Monday by Attorney General Herbert H. Slatery III.
Tennessee is part of a coalition of 41 state attorneys general that have entered into a legal agreement with Retrieval-Masters Creditors Bureau, a debt collection agency doing business as the American Medical Collection Agency.
The settlement resolves a multi-state investigation into the data breach, Slatery said in the press release.
AMCA specializes in the collection of low-value medical debts mainly for laboratories and medical testing facilities. An unauthorized user had access to the internal AMCA system from August 1, 2018 to March 30, 2019.
“The AMCA failed to detect the intrusion, despite warnings from the banks that processed its payments. The unauthorized user was able to collect social security numbers, payment card information and, in some cases, names of medical tests and diagnostic codes, ”the statement said.
In June 2019, the AMCA notified numerous states and began notifying more than 7 million affected people nationwide, including a two-year offer of free credit monitoring.
On June 17, 2019, due to the costs associated with notifying and remedying the violation, AMCA filed for bankruptcy. The coalition of attorneys general of several states participated in bankruptcy proceedings.
AMCA received authorization from the bankruptcy court to settle with the multi-state coalition and filed for a dismissal in December 2020.
As part of the settlement, the AMCA could be liable for a total payment of $ 21 million to states, the statement said.
“Patients shouldn’t have to worry about their personal information, and especially sensitive medical information, being exposed through a security hole. Tennessee will continue to hold accountable companies that fail to implement appropriate safeguards or that drag their feet in the event of a breach, ”Slatery said.
Due to AMCA’s financial condition, this payment is suspended unless the company violates certain terms of the settlement agreement which include the following data security practices:
- Create and implement an information security program with detailed requirements, including an incident response plan;
- Employing a suitably qualified information security officer;
- Hire a third party assessor to perform an information security assessment; and
- Cooperate with Attorneys General in investigating data breaches and preserving evidence.
