Medical Debt Collector Poised to Shutter Following 2018 Breach
A data breach and mounting cybersecurity consulting costs, legal requirements, and regulatory obligations, proved too much for this company to come back from.
Company news following data breaches can sometimes be inspiring, some tales are based around recovery, others transparency, but in reality, that's not always the case.
If damaging enough, data breaches can serve as the death knell for a company.
The American Medical Collection Agency, a medical debt collector headquartered in Westchester County, New York, filed for Chapter 11 bankruptcy protection this week, a signal that a breach it experienced last year may have been too much for the company to mitigate.
Russell Fuchs, AMCA’s founder and CEO, filed a declaration (.PDF) in United States Bankruptcy Court in the Southern District of New York in support of the action on Monday under the name of its parent company, Retrieval-Masters Creditors Bureau, Inc.
According to the declaration, AMCA became aware of the breach in March, 2019 after receiving a slew of CPP notices that suggested a number of credit cards, which at some point had interacted with its web portal, were later associated with fraudulent charges.
While it was believed the breach initially only affected 200,000 victims, upon further review, 100 times that figure – upwards to 20 million patients – including patients at healthcare clients Quest Diagnostics, LabCorp, Carecentrix, BioReference Laboratories, and Sunrise Laboratories may have been affected.
Unbeknownst to AMCA, the company’s web payment portal began leaking customer data, including names, home addresses, phone numbers, dates of birth, Social Security numbers, payment card details, and bank account information, after the company's servers were hacked in 2018.
If a patient paid for laboratory work through one of the aforementioned clinical or blood testing firms dating back to last summer, and used AMCA’s portal to pay for it, their data may have been compromised.
According to Fuchs, the company “has always been adequately capitalized to operate its business” but the losses incurred by the breach, including having to spend $400,000 on IT professionals and consultants from three different firms, were beyond its ability to bear. The unnamed outside consultants revealed that AMCA’s servers had been hacked as early as August, 2018.
Gemini Advisory, a firm that works with financial organizations to keep tabs on underground markets, notified the website DataBreaches.net in May that its researchers had found payment card data on 200,000 patients from AMCA for sale on a marketplace. That number rose; in a Securities and Exchange Commission 8-K filing earlier this month, AMCA said the number of Quest Diagnostics patients impacted by the breach was 11.9 million people. BioReference Laboratories added to that figure, confirming in an 8-K filing of its own that AMCA informed the company that data on 422,600 patients that it had performed testing on were affected.
While AMCA obviously lost business following the breach – some of its largest clients terminated their relationship with the company – a lack of visibility around its data also appears to have contributed to AMCA’s downfall.
Because it couldn’t determine what data had been hacked, the company had to operate under the assumption that all of the information on its servers had been compromised. According to Fuchs, to satisfy legal requirements and regulatory obligations, this meant it had to spend nearly $4 million – “more liquidity than [it] had available” – to mail over seven million individual notices to those whose data may have been breached.
That it lasted until March without realizing that its servers had been hacked means patient data was compromised for more than half a year, a brutal blow but one that potentially could have been lessened through a data-centric approach to security, something that in turn, adds deeper visibility and understanding where information is being used and accessed.