AMCA Bankruptcy Filing in Wake of Breach Reveals ImpactCourt Documents Outline a 'Host of Negative Consequences'
In a case underscoring the potential financial havoc wreaked by data breaches, the 42-year-old parent company of American Medical Collection Agency has filed for bankruptcy just weeks after disclosing a data breach that affected its largest clients and millions of patients.
See Also: API Security: Making Sense of the Market
In a Monday filing in a New York federal bankruptcy court, Retrieval-Masters Creditors Bureau, which does business as AMCA, says it's seeking court approval for an "effective transition into Chapter 11 and to provide the best opportunity for a cost-effective and orderly liquidation."
The move comes after the March discovery of a major data breach, revealed in June. The breach not only caused AMCA's largest clients to end their business relationships with the Elmsford, New York-based debt collection agency, but has also resulted in "enormous expenses that were beyond the ability of [the company] to bear," Russell Fuchs, RMCB's owner and CEO, says in court documents.
On June 3, three medical testing laboratories - Quest Diagnostics, LabCorp and BioReference Laboratories, which is part of Opko Health Co. - each filed 8K forms with the U.S. Securities and Exchange Commission saying they were informed by AMCA that they were affected by an "unauthorized access" data breach at the collection agency.
In those filings, Quest Diagnostics said nearly 12 million of the patients that is serves were impacted by the breach. LabCorp reported 7.7 million individuals were affected, and BioReference Laboratories said nearly 423,000 patients were impacted.
'Cascade of Events'
In court documents, Fuchs says that after more than 40 years in business with no known data security incidents, AMCA in March became aware of what turned out to be a major data breach that apparently had occurred sometime during 2018.
The company first learned that there might be a problem when it received a series of Common Point of Purchase notices that suggested that a disproportionate number of credit cards that at some point had interacted with AMCA's web portal were later associated with fraudulent charges, the court documents say.
In response, AMCA shut down its web portal to prevent any further compromises of customer data and engaged outside consultants who confirmed that AMCA's servers had been hacked as early as August, 2018, Fuchs says in the filing. "This knowledge led to ... a cascade of events that ultimately has resulted in the [company's] need to seek relief under Chapter 11," he states.
"The Chapter 11 application ... should not stand in the way of OCR, state attorneys generals or other federal and state regulatory bodies investigating AMCA or attempting to seek enforcement remedies."
—David Holtzman, CynergisTek
As a result of the data breach, the company suffered "a severe drop-off in its business," he says in the filing.
"Almost immediately upon learning of the breach, LabCorp unqualifiedly and indefinitely terminated its relationship with the [company]. Soon after, Quest Diagnostics, Conduent Inc., and CareCentrix Inc., which together with LabCorp were [RMCB's] four largest clients, stopped sending new work to [RMCB], and all terminated or substantially curtailed their business relationships with the [company]."
In a statement provided to Information Security Media Group, Hartford, Conn.-based CareCentrix confirmed it has terminated its contract with AMCA.
"We are working to learn more about the data security incident at AMCA and to ensure that AMCA fulfills its obligations, including its obligation to issue all required notifications to potentially impacted individuals and regulatory authorities," CareCentrix says.
LabCorp says in a statement that it continues to investigate the AMCA data security incident to more fully understand which of the patients that it serves were affected by and what additional steps may be appropriate. "We are committed to handling this in a transparent and thorough manner. We will work vigorously to protect our interests and the interests of our customers who may be affected by the AMCA data security incident," the company says.
Conduent, a Florham Park, New Jersey-based technology services firm did not immediately respond to ISMG's request for comment, nor did Quest Diagnostics.
In the bankruptcy filing, Fuchs says RMCB hired IT professionals and consultants from three firms to identify the source of the breach, diagnose its cause, and implement appropriate solutions.
"To date, these expenses alone cost approximately $400,000, and have effectively shut down outside entry into the [company's] IT network by severely restricting access via the employment of individual authentication mechanisms, VPN access, or specifically vetted 'whitelists' of pre-approved IPs," the filing states.
In addition, the discovery of the data breach triggered a number of legal requirements and regulatory obligations, including notifying by mail individuals whose information may have been accessed, court documents note.
"Because the [company] was unable to determine a particular subset of persons or data files that had been hacked, [the company] had no choice but to work under the assumption that all of the information within its servers was compromised. As a result, the [company] had to spend in excess of $3.8 million to mail well over 7 million individual notices that began to go out on June 6," the bankruptcy filing states.
To pay for notification, Fuchs says in the filing he had to "obtain a secured loan from my personal funds in the amount of $2.5 million, which together with existing cash on hand was sufficient to fund mailing of the notices."
In the wake of the breach, the company "had no choice" but to substantially reduce its workforce, from 113 employees at year-end 2018 to just 25 as of the bankruptcy filing, Fuchs says. "The [company] is no longer is optimistic that it will be able to rehabilitate its business."
More to Worry About
The court filing also notes that among a "host of negative consequences" brought on by the data breach are "not only a crush of litigation and pre-litigation activity by contract counter-parties and other private entities ... but also a host of requests and demands made by numerous governmental authorities, all related to the data security breach sustained by the [company]."
Since the revelation of the data breach, more than a dozen class action lawsuits have been filed against RMCB and AMCA, as well as against some of the company's clients impacted by the incident, including Quest Diagnostics, LabCorp and BioReference Laboratories.
Also, New Jersey's two U.S. senators earlier this month sent a letter to Secaucus, New Jersey-based Quest Diagnostics demanding answers about the AMCA breach.
In addition, the attorneys general of several states have also announced they've launched investigations into the AMCA breach.
The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, has has not shied away from launching HIPAA enforcement actions against companies that went bankrupt or shut down in the wake of breaches.
"The Chapter 11 application ... should not stand in the way of OCR, state attorneys general or other federal and state regulatory bodies investigating AMCA or attempting to seek enforcement remedies," says privacy attorney David Holtzman of the security consulting firm CynergisTek.
OCR has signed HIPAA settlements with two organizations that either went out of business or filed for bankruptcy after a breach.
In 2018, OCR announced a $100,000 settlement with Filefax, a now-defunct medical records storage company at the center of a 2015 "dumpster diver" breach affecting more than 2,000 patients.
And in 2017, OCR announced a $2.3 million settlement with bankrupt cancer care clinic chain, 21st Century Oncology. Under the HIPAA resolution agreement with 21st Century Oncology, the monetary payment to OCR was made by the clinic's cyber insurer, Beazley Group.
RMCB's bankruptcy documents do not mention whether the company had any cyber insurance policies. An attorney handling the RMCB bankruptcy did not immediately respond to ISMG's inquiries about the company's Chapter 11 filing, including whether the debt collection agency had cyber insurance.
Lessons to Learn
So what lessons can other healthcare sector entities learn from the AMCA bankruptcy stemming from its data breach?
"One lesson to be learned from this fiasco is to ensure that all vendor agreements include provisions for what types of incidents have to be reported to your healthcare organization and when that notification must be provided," Holtzman says.
"Equally important is specifying in your vendor contract how information about incidents involving subcontractors is reported to you and rights to obtain information or investigate such incidents. The more access an organization has to your information system or the sensitivity of the data, the more comprehensive and thorough the examination."
Holtzman also advises organizations to "ask your vendors or contractors to identify and perform vendor management assessment of the subcontractors or vendors they hire to create or maintain your organization's personally identifiable data."
Privacy attorney Iliana Peters of the law firm Polsinelli says the bankruptcy filing by AMCA's parent company due to the breach is a warning to other organizations.
"The fact that an entity may be forced into bankruptcy at least in part as a result of the costs associated with the investigation of and state and federal regulatory requirements regarding a security incident or breach should be a wake-up call for entities in all sectors," she says.
"The events themselves are very scary, and the resulting costs are real, and should be planned for, including with regard to cyber incident insurance," she adds.
"This is also a very important issue for HIPAA covered entities and business associates to address in their business associate agreements, so that all entities involved in a business relationship understand how costs will be covered when a breach occurs."