The American Medical Collection Agency (AMCA), a medical bill and debt collector, experienced a large scale data breach in 2018 but only discovered the incident occurred in March of 2019. AMCA notified clients and patients in June of 2019. AMCA’s parent company, Retrieval-Masters Creditors Bureau (RMCB), filed for bankruptcy protection weeks after disclosing the breach.
An article by Bank Info Security provides a timeline of the events that occurred in the AMCA bankruptcy case and the serious legal and financial implications the company is facing as a result of the data breach. AMCA lost four of its largest clients and was forced to reduce its workforce by over 75% due to the financial impact of the breach. Additionally, RMCB hired IT professionals and consultants to find the cause of the breach and implement solutions costing the firm $400K, as of June, 2019.
Given that the company was not able to determine which files or persons had been impacted by the breach, RMCB had “to work under the assumption that all of the information on its servers had been compromised.” In conjunction with “legal requirements and regulatory obligations,” they were required to mail notification to all individuals potentially impacted by the breach. As of June, 2019, the costs were in excess of $3.8M, which required the CEO to obtain a secured loan from his personal funds for a significant portion of that amount.
More than 12 class-action lawsuits have been filed against AMCA and RMCB. Some lawsuits were also filed against the company’s clients. Various state Attorney Generals have launched investigations into the breach.
There are significant legal and financial implications from a data breach of this size. Iliana Peters, Privacy Attorney of Polsinelli law firm, notes that this data breach is a great warning for other companies. She comments: “The fact that an entity may be forced into bankruptcy at least in part as a result of the costs associated with the investigation of and state and federal regulatory requirements regarding a security incident or breach should be a wake-up call for entities in all sectors.” Peters also adds that these costs are real and need to be planned for including purchasing cyber insurance.
There are many lessons to learn from AMCA’s data breach for healthcare (or any) organizations. Some of these lessons, as referenced by privacy attorney David Holtzman of the security consulting firm CynergisTek, are included below.
- Review vendor agreements very carefully.
- In these agreements, ensure there is a plan for reporting any cyber incidents to the organization. Also, if individuals’ data is compromised, there should be a plan for how these individuals are notified of the breach.
- If you are using a subcontractor, ensure in the agreement that the subcontractor is required to notify you of any cyber incidents they experience and that you are able to investigate the incident.
- Ask vendors/contractors to perform vendor management assessments for any firm that they hire that handles your organization’s protected health information, personally identifiable information, or corporate confidential information.
From the information provided in the articles, it is unclear whether RMCB had a cyber insurance policy. A cyber policy would help significantly with all of the financial and legal costs associated with a cyber incident. It would also assist an insured in addressing all of the required actions that must occur after an incident or breach. RMCB had to hire its own vendors to take care of the breach after it occurred. With a cyber policy in place, the insurance company would recommend and assign needed vendors to assist the insured organization with required actions. A cyber policy will help assist an organization deal with the financial impact and consequences of a data breach or cyber incident.