41 States Settle AMCA Breach Lawsuit for a Potential $1 Per Patient Fine

The explosive AMCA data breach story has reached a conclusion. 41 states have settled the lawsuit which could potentially lead to $21 million.

Long time readers of Freezenet will remember the explosive AMCA data breach story of 2019. In June of that year, AMCA suffered a major data breach. At the time, the breach was known to be affecting 20 million patients. The breach affected Quest Diagnostics who also got roped into the lawsuit that ultimately ensured. Then, within two days of our first report, AMCA filed for chapter 11 bankruptcy.

Despite the bankruptcy, authorities said that this does not let AMCA off the hook for the damages this event caused people. Shortly after, the number of states suing grew to 19. Ultimately, 41 states wound up being involved in the lawsuit against the now defunct AMCA. 21 million patients were known to be affected in all.

Now, we are learning that the lawsuit has been settled. In all, AMCA faces a potential $21 million fine. That works out to about a whopping $1 per affected patient. From Health Securty:

The Retrieval-Masters Creditors Bureau, d/b/a American Medical Collection Agency reached a with 41 state attorneys general, which could lead to a $21 million fine, to resolve a multistate investigation into its massive healthcare data breach from 2019.

The multistate coalition involved the attorneys general from Washington, DC, New Jersey, New York, Ohio, Oregon, New Hampshire, Florida, Georgia, Hawaii, Idaho, Rhode Island, New Mexico, Arizona, Colorado, Kansas, Idaho, North Carolina, Minnesota, and Michigan, and 22 others.

The AMCA security incident was by far the largest healthcare data breach that year, impacting at least 21 million individuals across the country.

First disclosed in June 2019, a hacker gained access to the billing collections vendor for eight months between August 1, 2018 and March 30, 2019. The access provided the hacker with troves of billing and medical data from a range of AMCA clients.

The impacted clients involved Quest Diagnostics with 11.9 million patients, LabCorp with 7.7 million patients, Clinical Pathology Laboratories with 2.2 million patients, BioReference with 422,000 patients, and a host of others.

The compromised data varied by entity, but included patient names, demographic details, dates of birth, credit cards, balance information, bank accounts, contact details, provider names, and dates of service, among other sensitive data.

The article goes on to say that the settlement also stipulates that the defunct company must implement better security measures. AMCA also must hire a third party assessor to ensure that security requirements are met. If they fail to meet these requirements, then they could get hit with the $21 million fine.

It’s unclear how patients would feel if they knew that their personal, financial and medical records are worth basically $1, but one can only imagine how much that adds insult to injury. Clearly, the states successfully argued that negligence played a role here. What’s worse is that it’s possible that the company might not even face that financial penalty in the first place. Some might look at the story from 2019 and wonder if AMCA was attempting to escape responsibility by declaring Chapter 11 bankruptcy days after the breach was made public. One can’t help but feel, at the very least, disappointed in all of this.

Drew Wilson on Twitter: @icecube85 and Facebook.

2 Trackbacks and Pingbacks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: