Parent company of collection agency files for bankruptcy weeks after announcing massive breach

Retrieval-Masters Creditors Bureau (RMCB), the parent company of the American Medical Collection Agency (AMCA), filed for bankruptcy weeks after AMCA announced a massive data breach caused by a system hack exposed personal and billing data for over 19 million individuals.

According to a report from Information Security Media Group, RMCB filed for Chapter 11 in a New York federal bankruptcy court on June 17. The court documents said multiple large clients, including LabCorp, Quest Diagnostics, and CareCentrix Inc., either terminated or sharply curtailed their relationships with RMCB almost immediately after learning of the breach. These companies had first started notifying clients of the breach on May 31.

In addition to dwindling business, the expenses involved in identifying the source of the breach and notifying clients were high. RMCB said in the court documents that it spent approximately $400,000 on IT work related to the breach. The company also spent more than $3.8 million to mail over 7 million individual notices about the breach, court documents said, and the RMCB was forced to reduce its workforce from 113 employees at the end of 2018 to 25 as of the bankruptcy filing on June 17.

The Chapter 11 filing illustrates the steep cost of HIPAA breaches on companies beyond the possible enforcement actions from the Department of Health and Human Services’ Office for Civil Rights (OCR). But bankruptcy might not mark the end of the story for RMCB. According to Information Security Media Group, a Chapter 11 application would not necessarily prevent the OCR from pursuing a HIPAA settlement, as the OCR has previously reached settlements with defunct or bankrupt companies, including Filefax in 2018 and 21st Century Oncology in 2017.