AMCA Parent Company Files for Chapter 11 Protection
Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection.
The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected.
The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response.
The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach notification letters. Fuchs explained in the court filing that the firm had incurred “enormous expenses that were beyond the ability of the debtor to bear.”
Retrieval-Masters was formed in 1977 by Russell Fuchs and was initially focused on small-dollar debt collections for direct mail marketers but has since moved into patient receivables. The company now helps companies recover non-medical and medical debt. Retrieval-Masters stated in the filing that it had reduced staff numbers from 113 to 25 at the end of 2018.
The Chapter 11 filing in the Southern District of New York stated the company is seeking to liquidate assets and liabilities as high as $10 million to cover the rising costs of the cyberattack.
The filing also sheds some light on how the breach was detected.
The breach was first reported on databreaches.net, which had been contacted by researchers at Gemini Advisory who had identified a batch of stolen credit cards and Social Security numbers on a darknet marketplace. Gemini Advisory analysts were able to tie the data to AMCA and issued a notification.
The filing stated AMCA learned about the breach after being notified that a large number of credit cards tied to its payment portal had been used to make fraudulent purchases.
There are still many questions that have not yet been answered related to how access was gained to the payment page and whether the breach was the result of cybersecurity failures. Several state attorneys general have written to AMCA demanding answers.