Attorney General Cameron Announces Multistate Settlement with American Medical Collection Agency for Data Security Breach

FRANKFORT, Ky. (March 11, 2021) – Attorney General Daniel Cameron today announced a multistate settlement with Retrieval-Masters Creditors Bureau, doing business as American Medical Collection Agency (AMCA), for a 2019 data security breach.  The breach affected the personal information of more than 100,000 Kentuckians and compromised the personal information of 7 million consumers.  It also potentially endangered the information of up to 21 million Americans.

“Kentucky’s Consumer Protection Act requires companies to take appropriate measures to safeguard the personal information of consumers, and our Office of Consumer Protection works on behalf of Kentuckians to ensure companies, like AMCA, follow these laws,” said Attorney General Cameron. “This settlement requires AMCA to implement data security practices to protect consumers from future cyber-attacks.”

From August 1, 2018, through March 30, 2019, an unauthorized user gained access to AMCA’s internal system allowing them to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes. Despite warnings from banks that processed AMCA’s payments, the company failed to detect the intrusion.

On June 3, 2019, AMCA provided notice to many states of the data security breach and began contacting and offering affected consumers two years of free credit monitoring. Because of the costs associated with notification and remediation, on June 17, 2019, AMCA filed for bankruptcy.

The coalition participated in AMCA’s bankruptcy proceedings to continue the investigation and take steps to ensure the personal information of their consumers was protected. AMCA ultimately received permission from the bankruptcy court to settle with the multistate coalition and on December 9, 2020, filed for dismissal of the bankruptcy. 

As part of the settlement, AMCA may be liable for a $21 million total payment to the states.  Because of AMCA’s financial condition, the payment is suspended unless the company violates certain terms of the settlement agreement. 

Under the terms of the settlement, AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:

  • Creating and implementing an information security program with detailed requirements, including an incident response plan;
  • Employing a duly qualified chief information security officer;
  • Hiring a third-party assessor to perform an information security assessment; and
  • Cooperating with the attorneys general with investigations related to the data breach and maintaining evidence.

The settlement was reached between 41 attorneys general and AMCA.  Attorney General Cameron joined attorneys general from Arizona, Arkansas, Colorado, the District of Columbia, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia in the settlement.

To view a copy of the settlement, click here