An Illinois resident alleges in a proposed class action lawsuit that Retrieval-Masters Creditors Bureau, which does business as American Medical Collection Agency (AMCA), knew of asweeping data breachthat affected11.9 million patientsmonths before it notified those affected.
Filed in New York Bankruptcy Court, the 27-page lawsuit says the plaintiff received a letter from AMCA on June 6, 2019 in which the third-party medical bill collection agency informed her of a possible security compromise on its web payments page. Retrieval-Masters reportedly explained in the letter that an unauthorized user had access to AMCA’s backend system “between August 1, 2018 and March 30, 2019,” and accessed patients’ names, Social Security numbers and financial and medical information.
According to the lawsuit, the defendant represented to proposed class members that it had only been made aware of the breach on March 20, 2019. The plaintiff, however, charges that Retrieval-Masters likely new of the hack “much sooner” in that cybersecurity firm Gemini Advisory reportedly attempted to notify the company of the breach as far back as March 1, 2019, only to receive radio silence. Gemini Advisory, the case says, “did not get any response to phone messages” left with AMCA.
In the fallout from the data breach,Retrieval-Masters filed for Chapter 11 bankruptcy protectionon June 17. According toBloomberg’swrite-up of the filing, AMCA’s four largest clients—Quest Diagnostics, LabCorp, Conduent and CareCentrix—all stopped doing business with the company as a result of the cyber incident. Retrieval-Masters linked its bankruptcy filing to “enormous expenses” it incurred from the cybersecurity incident, including a $3.8 million expenditure on mailing more than seven million notices to those affected by the breach.