Debt Collector Reaches Settlement Over Data Breach Exposing Personal Information of Up to 21 Million Consumers

  • A bipartisan group of 41 AGs, led by Connecticut AG William Tong, Indiana AG Todd Rokita, New York AG Letitia James, and Texas AG Ken Paxton, reached a settlement with debt collection agency Retrieval-Masters Creditors Bureau d/b/a American Medical Collection Agency (“AMCA”) over allegations that it failed to protect the personal information of millions of consumers in a 2019 data breach in violation of the states’ respective consumer protection laws.
  • According to the New York AG’s office, an unauthorized user accessed AMCA’s internal systems from August 2018 to March 2019, and AMCA failed to detect the intrusion despite warnings from third parties that processed its payments. The hacker accessed the data of up to 21 million consumers and collected a variety of personal information, including Social Security numbers, payment card information, and medical tests and diagnostic codes. AMCA also filed for bankruptcy in June 2019, which was dismissed in December 2020.
  • Under the terms of the settlement, AMCA agreed to implement and maintain an information security program with detailed requirements, including creating an incident response plan, and hiring a third-party assessor to evaluate its information security, among other things. AMCA may also be liable for up to a $21 million total payment to the states, but the payment is suspended so long as AMCA does not violate the settlement’s injunctive terms.