AMCA files for bankruptcy just months after Data Breach
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

AMCA files for bankruptcy just months after Data Breach

The American Medical Collections Agency’s parent company files for Chapter 11 bankruptcy.

Let’s update you on a story we covered a few weeks ago: the American Medical Collections Agency’s data breach. At the time we opined that AMCA should be the one wearing this security gaffe – not just LabCorps and Quest.

Now, just two weeks later, the AMCA’s parent company, Retrieval-Masters Creditors Bureau, is filling for Chapter 11 bankruptcy.

We talk all the time about the consequences that can come with a data breach, the compliance penalties, the financial repercussions – the loss of confidence in your company.

This is a perfect example. AMCA is a sub-brand of Retrieval-Masters, but this affects the whole company. So, today we’re going to talk a little bit about AMCA, Chapter 11 bankruptcy and what this all means.

Let’s hash it out.

What happened with AMCA?

Just a quick refresher, if you want the full story I recommend you check out our coverage from a few weeks ago. But here’s the abridged version: The AMCA suffered a massive data breach that affected customers at two of the United States’ biggest lab testing companies, Quest and LabCorps. It also affected some of its lesser-known testing companies, too: BioReference Laboratories, CareCentrix and Sunrise Labs.

Report it Right: AMCA got hacked – Not Quest and LabCorp

The way the media covers data breaches is probably bad for cybersecurity as a whole. We need more knowledgeable coverage and more accurate headlines.

Read more

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” a spokesperson for AMCA said at the time.

As the name suggests, the AMCA handles billing for the aforementioned lab testing companies. Specifically collections. When you don’t pay on time, the AMCA is who harrasses you. The breach occurred because hackers were able to break into the AMCA’s web payment portal and access company databases filled with customers’ personal and payment information.

In all, over 20-million customers were affected. And because of HIPAA reporting requirements, the two lab companies both had to make disclosures. Given their name recognition, it was Quest and LabCorps who made the headlines while AMCA typically came into the story a few paragraphs down.

Now, it seems karma is evening the score.

What is Chapter 11 Bankruptcy?

First things first: Retrieval-Masters isn’t going out of business. It’s not shutting down. At least not immediately. You likely still owe them some money (that they’re now going to be even more intent on collecting).

What Chapter 11 bankruptcy does is allows companies to “reorganize” to keep their business alive and pay their creditors over time. Much like there was a rich irony in Equifax getting its credit rating reduced, there’s also a degree of schadenfreude in seeing a debt collection agency forced to reorganize its debts.

Generally Chapter 11 bankruptcies begin with the filing of a petition to relevant bankruptcy court in the company’s jurisdiction.

From USCourts.gov:

Unless the court orders otherwise, the debtor also must file with the court: (1) schedules of assets and liabilities; (2) a schedule of current income and expenditures; (3) a schedule of executory contracts and unexpired leases; and (4) a statement of financial affairs.

That kicks off a long, bureaucratic process that is essentially designed to help large organizations fend off potentially business-crippling debt.

Retrieval-Masters/AMCA was running up one hell of a bill

Let’s start by talking about just how much money passes through the AMCA each year: “over $1 billion in annual receivables…” Obviously, they don’t get to keep all that, but it’s still a significant enough figure to help indicate just how expensive this was all getting for the collections agency.

The investigation into the incident cost $400,000 and it cost an additional $3.8-million to send out all of the required notifications to customers.

That’s over $4.2-million dollars just reporting it. That was enough to force Retrieval Masters to leverage most of its existing assets in order to take out a loan that it must now repay.

Then you have incoming compliance and regulatory penalties that will total in the millions, plus there have already been a pair of class action lawsuits filed and the total number of affected customers continues to grow by the day, which in turn beckons even more lawsuits.

It was enough of an existential threat that Retrieval-Masters need to take drastic action.

Let’s look at some of the other impacts from its filing with the Southern District of New York:

Lost Business

Most critically, as a result of the discovery of the data breach and its aftermath, the Debtor suffered a severe drop-off in its business. Almost immediately upon learning of the breach, LabCorp unqualifiedly and indefinitely terminated its relationship with the Debtor. Soon after, Quest Diagnostics, Conduent, Inc., and CareCentrix, Inc. which together with LabCorp were the Debtor’s four largest clients, stopped sending new work to the Debtor, and all terminated or substantially curtailed their business relationships with the Debtor.

Borrowing money to send notifications

This required more liquidity than the Debtor had available. As a result, and in order to ensure that appropriate notice of the data breach was provided to all individuals possibly affected, the Debtor obtained a secured loan from my personal funds in the amount of $2.5 million, which together with existing cash-on-hand was sufficient to fund mailing of the notices.

Mass Layoffs

In the wake of all the foregoing, including the loss its largest clients, the Debtor also had no choice to substantially reduce its workforce, from 113 employees at year-end 2018, to just 25 as of the Petition Date. The Debtor no longer is optimistic that it will be able to rehabilitate its business.

Asking permission to pay your own employees

The Debtor seeks authority from the Court to pay prepetition employee wages and satisfy related benefit obligations in the ordinary course. The Debtor’s employees perform a wide variety of functions which willbe critical to the administration of the Debtor’schapter 11 case. Without their continued, uninterrupted services, the ability of the Debtor to maintain and administer its estate willbe materially impaired.

Winding down business operations

Accordingly, the Debtor has filed the instant chapter 11 petition in order to allow it the breathing room to appropriately evaluate its pool of remaining assets and liabilities, cost-effectively respond to regulatory demands, and ultimately, to wind-up of its business in an orderly fashion through a liquidating chapter 11 plan.

Based on the available information, Retrieval-Masters would classify as a small business in the US. Again, we discuss all the time how much more dangerous these kinds of security threats are to SMBs. This is a perfect case-in-point.

Don’t let cybersecurity be your company’s Achilles heel.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.