41 states reach out to debt agency over data breaches affecting approximately 21 million Americans
Forty-one attorneys general – including those from Florida, Georgia, Pennsylvania, New York, Connecticut, Texas and New Jersey – announced Thursday that they had resolved a data breach lawsuit against a debt collection company that may have disclosed the personal information of up to 21 million people Has .
Under the settlement agreement between the states and the Retrieval-Masters Creditors Bureau, which acts as the American Medical Collection Agency, or AMCA, the company could be held liable for more than $ 21 million.
The agreement states that after the breach, the company filed for bankruptcy and ultimately obtained bankruptcy court permission to resolve the dispute with the states. In December 2020, the company filed for bankruptcy dismissal.
The agreement also states that the $ 21 million will be on hold due to the debt collection company’s financial condition, unless the company violates the terms of the settlement.
The agreement stipulates that the debt collection agency must, among other things, commission an external expert to carry out the information security check. It also requires that the company employ a qualified chief information security officer.
Under the settlement agreement, the company, which is collecting debt on behalf of several medical service providers, including LabCorp, is pulling out debts. and Quest Diagnostics – announced in June 2019 that it was the victim of a data breach between August 2018 and March 2019.
The agreement says the records of approximately 21 million Americans could be at risk. These records contain names, social security numbers, dates of birth, and financial and medical information as agreed.
The company sent letters to people whose privacy might have been violated. It offered consumer credit monitoring over a two-year period, the agreement says.
The attorneys general who signed the agreement said they would continue to hold companies accountable for data breaches.
“AMCA is a warning: If a company does not invest properly in information security, the costs associated with a data breach can lead to bankruptcy – the business is destroyed and those affected are put at risk. My office will continue to work to protect personal information even if the company responsible for it cannot, ”Connecticut Attorney General William Tong said in a statement.
One echo from Tong was New York Attorney General Letitia James.
“When companies manage New Yorkers’ personal information, every effort must be made to protect that information,” James said in a statement. “Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that such an outage does not happen again.”
Pennsylvania Attorney General Josh Shapiro said the American Medical Collection Agency had failed in its responsibility to protect the sensitive health information of consumers.
“They have been warned repeatedly that their system has serious bugs, but they still haven’t taken appropriate steps to fix them,” Shapiro said. “You left your system vulnerable to a massive data breach and the personal information of millions of Americans was at risk.”
Nobody from the American Medical Collection Agency, based in Elmsford, New York, responded to a request for comment at the time of publication.
Saber Corporation reached a $ 2.4 million settlement with 27 states for a data breach that exposed 1.3 million credit cards
CafePress Reaches $ 2 million settlement with states over data breach
States earn $ 17.5 million in compensation from Home Depot for data breach in 2014