Attorney General Gurbir S. Grewal announced today that New Jersey has entered into a multistate settlement with Retrieval-Masters Creditors Bureau d/b/a American Medical Collection Agency (AMCA) that resolves allegations the company violated state consumer protection and data privacy laws in connection with a 2019 nationwide data breach.
The data breach exposed the personal information of more than seven million individuals across the country, including more than 246,000 New Jersey residents.
Today’s settlement resolves an investigation by a coalition of 41 Attorneys General into an eight-month data breach from August 2018 through March 2019 at AMCA, a healthcare debt collection agency that specializes in small balance medical debt collection. During that time, an unauthorized user gained access to the company’s internal system, collecting a broad array of personal information. The information included Social Security numbers, payment card information and, in some instances, the names of medical tests and diagnostic codes. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments.
In the settlement, ACMA agreed to implement a variety of reforms designed to strengthen its data security protections. Although ACMA also agreed to pay $21 million to the participating states as part of the agreement, that payment is suspended as a result of the company’s financial situation, unless it violates certain other settlement terms.
“Now more than ever, insurance companies, medical debt collection agencies, and other businesses that handle people’s personal financial and medical information must be vigilant about data security,” said Attorney General Grewal. “When companies fail to exercise appropriate vigilance, criminal hackers can be counted on to take advantage of the situation. This settlement should serve as a message to the industry that we’re serious about holding companies accountable when they fail to protect our residents’ sensitive personal data.”
“Companies that collect and store people’s personal and payment information – especially their medical information -- have a duty to use appropriate security measures to protect that data,” said Acting Division of Consumer Affairs Director Kaitlin Caruso. “When businesses fail to effectively safeguard the data they store, they leave openings for hackers to exploit. This settlement is important because it requires AMCA to change its data security systems to better protect health care consumers in New Jersey and across the country.”
On June 3, 2019, AMCA notified many states about the breach and began providing notice to the millions of individuals who were affected, along with an offer of two years of free credit monitoring. On June 17, 2019, as a result of the costs associated with providing notification and remediating the breach, AMCA filed for bankruptcy.
In order to continue the investigation, Attorney General Grewal and the other Attorneys General in the coalition participated in the bankruptcy proceedings. AMCA ultimately received permission from the bankruptcy court to settle with the coalition.
Under terms of the settlement, AMCA has agreed to implement and maintain a series of data security practices designed to bolster its information security program and safeguard the personal information of consumers, including:
- Creating and implementing an information security program with detailed requirements, including an incident response plan;
- Employing a qualified Chief Information Security Officer to monitor the information security program;
- Hiring a third-party certified information systems auditor or security professional to perform an assessment of the information security program; and
- Cooperating with the Attorneys General in the coalition on any other investigation or litigation related to the data breach, including by providing information and documents at the states’ request.
In addition to Attorney General Grewal, the Attorneys General for the following states and jurisdictions are participating in today’s settlement: Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia.
Deputy Attorney General Kashif T. Chand, Section Chief of the Data Privacy and Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group, and Cody Valdez of the Data Privacy and Cybersecurity Section, handled the AMCA matter on behalf of the State.