AMCA Medical Debt Collection Agency Settles Multistate Action over 21 Million-Record Data Breach

A settlement has been reached between a coalition of 41 state Attorneys General and American Medical Collection Agency (AMCA) to resolve a case stemming from a data breach involving the protected health information of 21 million Americans. The data breach was the largest healthcare data breach to be reported in 2019.

AMCA specializes in small debt collections from patients of medical testing facilities. From August 1, 2018 until March 30, 2019, hackers had access to an AMCA web portal, through which the hackers could access patient information including contact information, dates of birth, Social Security numbers, and payment card information.

AMCA was alerted to the breach when several financial institutions issued Common Point of Purchase notices to AMCA following the detection of fraudulent credit and debit card purchases. AMCA shut down its web portal and, assisted by third party cybersecurity consultants, determined the web portal had been hacked. As a result of the massive costs of mitigating the breach, AMCA filed for bankruptcy protection in June 2019.

Under the terms of the settlement, the Elmsford, NY-based debt collection agency has agreed to implement new data security practices appropriate to the size and complexity of the company, hire a chief information security officer (CISA) to oversee cybersecurity, develop and implement an incident response plan, and undergo a third-party information security assessment.

Should AMCA fail to abide by the injunctive terms of the settlement it will be liable for a $21 million financial penalty. The state Attorneys General decided to suspend the financial penalty due to the financial position of the company. After the case was concluded and the settlement agreed, AMCA filed for dismissal of the bankruptcy petition.

The investigation into the breach was led by the Indiana, Texas, Connecticut, and New York Attorneys General, with assistance provided by Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee. A further 30 states also joined the investigation. Should the terms of the settlement be violated, the financial penalty will be divided across all 41 states.

“AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way,” said Connecticut Attorney General Tong. “My office will continue to work to protect personal information even where the business that had the responsibility to do so cannot.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of