New York Attorney General Letitia announced an agreement between a bipartisan coalition of 41 attorneys general from around the nation and the Westchester County debt collection agency Retrieval-Masters Creditors Bureau, d/b/a American Medical Collection Agency (AMCA), that resolves a multistate investigation into the company’s 2019 data breach. The breach exposed the personal information — including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes — of up to 21 million individuals, including 582,146 New Yorkers. AMCA is based in Elmsford, New York and specializes in small-balance medical-debt collection, primarily for laboratories and medical testing facilities.

Between August 1, 2018 and March 30, 2019, an unauthorized user gained access to AMCA’s internal system and was able to collect a wide variety of customers’ personal information. Despite numerous warnings from banks that processed its payments about a potential breach, AMCA failed to detect the intrusion. 

Under the terms of the agreement, AMCA and its principals have agreed to implement and maintain a number of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:

• Creating and implementing an information security program with detailed requirements, including an incident response plan;
• Employing a duly qualified chief information security officer to oversee data safety practices at the company;
• Hiring a third-party assessor to perform an information security assessment; and
• Cooperating with the attorneys’ general investigation and maintaining evidence.
• As part of the agreement, AMCA may also be liable for a $21 million payment to the states if the company violates the injunctive terms of the agreement.