A US medical bill and debt collection agency has filed for Chapter 11 bankruptcy protection after suffering a data breach that exposed the sensitive personal data of at least 20 million people.
Compromised data included names, addresses, dates of birth and Social Security numbers – data that could be used to commit fraud and identity theft.
RMCB (the Retrieval-Masters Creditors Bureau) – the parent company of AMCA (the American Medical Collection Agency) – listed assets and liabilities of up to $10 million and estimated that it had between 100 and 199 creditors.
The company’s founder and CEO Russell H. Fuchs said in a court declaration that the breach had prompted a “cascade of events” resulting in “enormous expenses that were beyond [its] ability […] to bear”.
These included spending more than $3.8 million on notifying more than 7 million individuals that their personal data had potentially been compromised – $2.5 million of which Fuchs loaned the company himself.
Chapter 11 filings help businesses restructure their debts and assets, and wind up their affairs in an orderly manner.
Undetected data breach
AMCA was hacked over an eight-month period from 1 August 2018 to 30 March 2019.
Gemini Advisory, which alerted it to the incident, explains that it first identified information stolen from the company on 28 February.
The next day, it “made several unsuccessful attempts to contact AMCA in order to alert the victims” before informing federal law enforcement.
Databreaches.net first reported the incident on 10 May, using information provided by Gemini Research, but was unable to elicit any comment from AMCA.
Customer data exposed
According to ZDNet, companies that used AMCA’s payment portal to bill their medical customers include Quest Diagnostics (12 million exposed records), LabCorp (8 million), BioReference Laboratories (423,000), Carecentrix (500,000) and Sunrise Laboratories (unknown number).
All have either “terminated or substantially curtailed their business relationships” with AMCA, Fuchs said.
The real price of a data breach
RMCB/AMCA has been in business since 1977. Following the breach, it was forced to reduce its headcount by 88 to 25. Moreover, it is not “optimistic that it will be able to rehabilitate its business”.
After more than 40 years, this will be a bitter blow.
The lesson to be learned is that all organisations are at risk from cyber attacks and that the results can be disastrous.
Defending against cyber attacks is therefore critical.
Cyber security boot camp
If you need to improve your cyber security quickly, you can get all the support you need on our cyber security boot camp.
Download our free Cyber Security Combat Plan and discover:
- The five defensive measures you should take to protect your organisation from cyber attacks;
- The benefits and the risks associated with each of them; and
- How to build a business case for implementing them.