AMCA files for bankruptcy just months after Data Breach
The American Medical Collections Agency’s parent company files for Chapter 11 bankruptcy.
Let’s update you on a story we covered a few weeks ago: the American Medical Collections Agency’s data breach. At the time we opined that AMCA should be the one wearing this security gaffe – not just LabCorps and Quest.
Now, just two weeks later, the AMCA’s parent company, Retrieval-Masters Creditors Bureau, is filling for Chapter 11 bankruptcy.
We talk all the time about the consequences that can come with a data breach, the compliance penalties, the financial repercussions – the loss of confidence in your company.
This is a perfect example. AMCA is a sub-brand of Retrieval-Masters, but this affects the whole company. So, today we’re going to talk a little bit about AMCA, Chapter 11 bankruptcy and what this all means.
Let’s hash it out.
What happened with AMCA?
Just a quick refresher, if you want the full story I recommend you check out our coverage from a few weeks ago. But here’s the abridged version: The AMCA suffered a massive data breach that affected customers at two of the United States’ biggest lab testing companies, Quest and LabCorps. It also affected some of its lesser-known testing companies, too: BioReference Laboratories, CareCentrix and Sunrise Labs.
Report it Right: AMCA got hacked – Not Quest and LabCorp
The way the media covers data breaches is probably bad for cybersecurity as a whole. We need more knowledgeable coverage and more accurate headlines.
“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” a spokesperson for AMCA said at the time.
As the name suggests, the AMCA handles billing for the aforementioned lab testing companies. Specifically collections. When you don’t pay on time, the AMCA is who harrasses you. The breach occurred because hackers were able to break into the AMCA’s web payment portal and access company databases filled with customers’ personal and payment information.
In all, over 20-million customers were affected. And because of HIPAA reporting requirements, the two lab companies both had to make disclosures. Given their name recognition, it was Quest and LabCorps who made the headlines while AMCA typically came into the story a few paragraphs down.
Now, it seems karma is evening the score.
What is Chapter 11 Bankruptcy?
First things first: Retrieval-Masters isn’t going out of business. It’s not shutting down. At least not immediately. You likely still owe them some money (that they’re now going to be even more intent on collecting).
What Chapter 11 bankruptcy does is allows companies to “reorganize” to keep their business alive and pay their creditors over time. Much like there was a rich irony in Equifax getting its credit rating reduced, there’s also a degree of schadenfreude in seeing a debt collection agency forced to reorganize its debts.
Generally Chapter 11 bankruptcies begin with the filing of a petition to relevant bankruptcy court in the company’s jurisdiction.
Unless the court orders otherwise, the debtor also must file with the court: (1) schedules of assets and liabilities; (2) a schedule of current income and expenditures; (3) a schedule of executory contracts and unexpired leases; and (4) a statement of financial affairs.
That kicks off a long, bureaucratic process that is essentially designed to help large organizations fend off potentially business-crippling debt.
Retrieval-Masters/AMCA was running up one hell of a bill
Let’s start by talking about just how much money passes through the AMCA each year: “over $1 billion in annual receivables…” Obviously, they don’t get to keep all that, but it’s still a significant enough figure to help indicate just how expensive this was all getting for the collections agency.
The investigation into the incident cost $400,000 and it cost an additional $3.8-million to send out all of the required notifications to customers.
That’s over $4.2-million dollars just reporting it. That was enough to force Retrieval Masters to leverage most of its existing assets in order to take out a loan that it must now repay.
Then you have incoming compliance and regulatory penalties that will total in the millions, plus there have already been a pair of class action lawsuits filed and the total number of affected customers continues to grow by the day, which in turn beckons even more lawsuits.
It was enough of an existential threat that Retrieval-Masters need to take drastic action.
Let’s look at some of the other impacts from its filing with the Southern District of New York:
Lost Business
Most critically, as a result of the discovery of the data breach and its aftermath, the Debtor suffered a severe drop-off in its business. Almost immediately upon learning of the breach, LabCorp unqualifiedly and indefinitely terminated its relationship with the Debtor. Soon after, Quest Diagnostics, Conduent, Inc., and CareCentrix, Inc. which together with LabCorp were the Debtor’s four largest clients, stopped sending new work to the Debtor, and all terminated or substantially curtailed their business relationships with the Debtor.
Borrowing money to send notifications
This required more liquidity than the Debtor had available. As a result, and in order to ensure that appropriate notice of the data breach was provided to all individuals possibly affected, the Debtor obtained a secured loan from my personal funds in the amount of $2.5 million, which together with existing cash-on-hand was sufficient to fund mailing of the notices.
Mass Layoffs
In the wake of all the foregoing, including the loss its largest clients, the Debtor also had no choice to substantially reduce its workforce, from 113 employees at year-end 2018, to just 25 as of the Petition Date. The Debtor no longer is optimistic that it will be able to rehabilitate its business.
Asking permission to pay your own employees
The Debtor seeks authority from the Court to pay prepetition employee wages and satisfy related benefit obligations in the ordinary course. The Debtor’s employees perform a wide variety of functions which willbe critical to the administration of the Debtor’schapter 11 case. Without their continued, uninterrupted services, the ability of the Debtor to maintain and administer its estate willbe materially impaired.
Winding down business operations
Accordingly, the Debtor has filed the instant chapter 11 petition in order to allow it the breathing room to appropriately evaluate its pool of remaining assets and liabilities, cost-effectively respond to regulatory demands, and ultimately, to wind-up of its business in an orderly fashion through a liquidating chapter 11 plan.
Based on the available information, Retrieval-Masters would classify as a small business in the US. Again, we discuss all the time how much more dangerous these kinds of security threats are to SMBs. This is a perfect case-in-point.
Don’t let cybersecurity be your company’s Achilles heel.
As always, leave any comments or questions below…
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown