(Boise) – Attorney General Lawrence Wasden today announced a multistate settlement with a New York-based medical collection agency over a 2019 data breach that exposed the personal information of more than 7 million people nationwide, including 3,068 in Idaho.

Retrieval-Masters Creditors Bureau, under the name American Medical Collection Agency (AMCA), specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system between August 2018 and March 2019. AMCA failed to detect the intrusion despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.

In June 2019, AMCA provided notice to states and individuals that included an offer of two years of free credit monitoring. On June 17, 2019, as a result of the costs associated with the breach, AMCA filed for bankruptcy. In order to continue the investigation and take steps to ensure the personal information of their residents was protected, the multistate coalition of attorneys general participated in all bankruptcy proceedings. The company ultimately received permission from the bankruptcy court to settle with the coalition and on December 9, 2020, filed for dismissal of the bankruptcy.

As part of the settlement, AMCA may be liable for a $21 million total payment to the states. Because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement.

Under the terms of the settlement, AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:
– Creating and implementing an information security program with detailed requirements, including an incident response plan;

– Employing a qualified chief information security officer;

– Hiring a third-party assessor to perform an information security assessment; and

– Cooperating with the attorneys general with investigations related to the data breach and maintaining evidence