Things have become complicated regarding American Medical Collection Agency (AMCA), a collections firm used by several medical testing firms. After breach announcements by Quest Diagnostics and LabCorp earlier this month, more healthcare firms announced breach notices.
So, more than 20 million persons have been affected. ZD Net reported the patient totals by healthcare firm:
"Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients)."
Now, we learn that AMCA has filed for bankruptcy protection:
"According to the Chapter 11 declaration (.PDF), filed with the court for the Southern District of New York, AMCA first became aware of a potential security incident when a disproportionate number of credit cards that interacted with the company's web portal were linked to fraudulent transactions... Cybersecurity forensics bills of roughly $400,000, IT support costs, severe restrictions that were put in place to protect AMCA's network from further intrusion, looming court cases, and the loss of valuable business partners have all taken their toll."
A "Chapter 11" bankruptcy means a reorganization, compared to a total liquidation under "Chapter 7." So, AMCA executives expect their company to survive.
ZD Net also reported that AMCA has paid more than:
"... $3.8 million to inform over seven million people who have potentially been impacted via mail. This figure alone is more than the company had to hand, forcing AMCA to take out a loan from the CEO and founder, Russell Fuchs, just to meet this expense. By filing for bankruptcy protection, the business will continue on as usual as AMCA seeks to pay off its creditors."
The costs highlight the consequences when companies fail to protect consumers' sensitive personal and payment data. The bankruptcy filing begs the next question: continue operating how effectively? Reportedly, AMCA has already cut its workforce from 155 to 25 employees. Usually under bankruptcy protection, a court decides which creditors get paid and whether they are paid in full -- including employees.
This scenario makes one wonder if AMCA can afford the ongoing expenses and resources necessary to harden its computer systems against intrusions, pay its employees, fully support data breach victims, and pay any post-breach fines. If AMCA can't pay its employees, it is probably already dead.