Attorneys general from 41 states have reached a settlement with Retrieval-Masters Credit Bureau, which operated a collection agency under the name of American Medical Collection Agency, stemming from a data breach in 2019 that exposed the personal information of more than 7 million individuals. The company may be liable for as much as $21 million in penalties if it fails to honor the terms of the settlement.
The collection agency has filed for bankruptcy protection and wound down operations after it uncovered an unauthorized user who had gained access to the agency’s online payments portal. The unauthorized user had accessed the portal for more than six months when the breach was discovered.
Under the terms of the settlement, the agency and its principals have agreed to:
- Create and implement an information security program with detailed requirements, including an incident response plan;
- Employ a duly qualified chief information security officer;
- Hire a third-party assessor to perform an information security assessment; and
- Cooperate with the attorneys general with investigations related to the data breach and maintaining evidence.
A copy of the settlement may be accessed by clicking here.
“Our office pursues data breach cases such as this one to ensure companies take proper steps to protect consumers’ personal information and provide timely notice of a breach so that consumers can protect themselves from identity theft,” said Tom Miller, the Attorney General of Iowa, in a statement.
The states participating in the settlement are: Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Maine, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia.
The settlement should close the books on the breach, which was one of the biggest stories in the ARM industry back in 2019.