USA: 41 State AGs announce $21M settlement against AMCA following data breach
The Pennsylvania Attorney General ('AG'), Josh Shapiro, announced, on 11 March 2021, alongside 41 other state AGs, a $21 million settlement with Retrieval-Masters Creditors Bureau, conducting businesses as the American Medical Collection Agency ('AMCA'), resolving a multi-state investigation into the 2019 data breach that exposed the personal information of over 7 million individuals. In particular, under the terms of the settlement, AMCA and its principals have agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers, these include:
- creating and implementing an information security program with detailed requirements, including an incident response plan;
- employing a duly qualified Chief Information Security Officer;
- hiring a Third-Party Assessor to perform an information security assessment; and
- cooperating with the AGs with investigations related to the data breach and maintaining evidence.
As part of the settlement, AMCA may be liable for a $21 million total payment to the states. However, due to AMCA's financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement.