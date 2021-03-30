A settlement has been reached by the State of Tennessee with a collection agency that had a data breach in 2019 that exposed the personal information of more than 132,000 Tennesseans, according to a news release Monday by Attorney General Herbert H. Slatery III.
Tennessee is part of a coalition of 41 state attorneys general that reached the legal accord with Retrieval-Masters Creditors Bureau, a debt collection agency doing business as American Medical Collection Agency.
The settlement resolves a multistate investigation into the data breach, Slatery said in the news release.
AMCA specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from Aug. 1, 2018, through March 30, 2019.
“AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes,” the release said.
In June 2019, AMCA provided notice to many states and began providing notice to more than 7 million affected individuals nationwide that included an offer of two years of free credit monitoring.
On June 17, 2019, as a result of the costs associated with providing notification and remediating the breach, AMCA filed for bankruptcy. The multistate attorneys general coalition participated in bankruptcy proceedings.
AMCA received permission from the bankruptcy court to settle with the multistate coalition, and filed for dismissal of the bankruptcy in December 2020.
As part of the settlement, AMCA may be liable for a $21 million total payment to the states, the release said.
“Patients should not have to worry about their personal information, and especially sensitive medical information, being exposed through a security breach. Tennessee will continue to hold companies accountable that do not implement proper safeguards or drag their feet when a breach occurs,” Slatery said.
Because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement which include the following data security practices:
- Creating and implementing an information security program with detailed requirements, including an incident response plan;
- Employing a duly qualified chief information security officer;
- Hiring a Third-Party Assessor to perform an information security assessment; and
- Cooperating with the attorneys general with investigations related to the data breach and maintaining evidence.
To read the agreed final judgment, go to: https://www.tn.gov/content/dam/tn/attorneygeneral/documents/pr/2021/pr21-13-afj.pdf