TALLAHASSEE, Fla.—Attorney General Ashley Moody today took action against Retrieval-Masters Creditors Bureau d/b/a American Medical Collection Agency resolving a multistate investigation into a 2019 data breach that exposed the personal information of more than 7 million individuals, including 1.25 million Florida residents. The data breach potentially exposed the personal information of up to 21 million individuals throughout the United States. Attorney General Moody is joined in the multistate action by 40 other state attorneys general.
Attorney General Ashley Moody said, “This data breach exposed the personal information of more than one million Floridians—jeopardizing their identities, finances and online security. I’m proud to work with my counterparts in other states to strengthen this agency’s security measures to help ensure any future personal information collected remains private.”
Retrieval-Masters Creditors Bureau is a debt collection agency. Under the name American Medical Collection Agency, the company specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from Aug. 1, 2018, through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user collected a wide variety of personal information, including Social Security numbers, payment card information and, in some instances, names of medical tests and diagnostic codes.
On June 3, 2019, AMCA provided notice to many states and began providing notice to more than 7 million affected individuals that included an offer of two years of free credit monitoring. On June 17, 2019, AMCA filed for bankruptcy as a result of the costs associated with providing notification and remediating the breach.
As part of the agreement, AMCA may be liable for a $21 million total payment to the states. Because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement.
Under the terms of the agreement, AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen the company’s information security program and safeguard the personal information of consumers. These include:
- Creating and implementing an information security program with detailed requirements, including an incident response plan;
- Employing a duly-qualified Chief Information Security Officer;
- Hiring a third-party assessor to perform an information security assessment; and
- Cooperating with the attorneys general investigations related to the data breach and maintaining evidence.
In addition to Florida, represented by Attorney General Moody’s Consumer Protection Division Assistant Attorney General Diane Oates, the multistate group includes: Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia.
The proposed consent judgment is pending judicial approval
