After the massive data breach at American Medical Collection Agency (AMCA) which resulted to the compromise of over 20 million records, Retrieval-Masters Creditors Bureau Inc., AMCA’s parent company, has submitted for Chapter 11 protection in the Southern District of New York.
The people affected by the data breach received medical testing services from Quest Diagnostics, BioReference Laboratories or LabCorp. Hackers accessed AMCA’s web payment portal, viewed and stole patients’ sensitive private and financial information. The hackers had continued access to the payment portal for over 7 months prior to the discovery of the breach.
Recovering from a breach such as the his entails substantial cost., AMCA already spent $3.8 million for mailing breach notification letters to over 7 million affected individuals. AMCA also spent $400,000 upon hiring IT experts to help respond to the breach.
The data breach created a stream of incidents that ended in the filing of bankruptcy. CEO of Retrieval-Masters Creditors Bureau, Russell Fuchs, lent $2.5 million to AMCA for the cost of sending the breach notification letters. Fuchs stated in the court filing that the AMCA sustained substantial expenses that it is not able to bear.
Russell Fuchs established Retrieval-Masters in 1977 and first targeted small-dollar debt collections for direct mail marketers, however, it has now dealt with patient receivables. The firm currently assists companies get back medical and non-medical debt. Retrieval-Masters mentioned in the filing that it had lessened their number of staff from 113 to 25 in late 2018.
The Chapter 11 filing explained that the company wants to liquidate up to $10 million of assets and liabilities to take care of the growing costs of the cyberattack.
The filing additionally revealed how AMCA detected the breach. Researchers at Gemini Advisory first contacted Databreaches.net about the identified stolen data of credit cards and Social Security numbers being sold on a darknet marketplace. After Gemini Advisory was able to determine the data was from AMCA, it issued a notification. But Databreaches.net first reported the breach.
The bankruptcy filing mentioned AMCA knew about the breach after getting a notification that a good number of credit cards linked to its payment website were used for bogus purchases.
Answers to many questions are still unclear such as how the hackers accessed the payment webpage and if AMCA failed to implement cybersecurity controls that resulted to the breach. A number of state attorneys general already communicated with AMCA to demand some answers.