Insurmountable Failed Program Expenses?
American Medical Collection Agency (AMCA), a HIPAA Business Associate, endured a criminal hacking campaign from August 2018 through March 2019 that affected up to 20 million patients. Personal, financial and medical information was compromised until the hacking was identified, eight months after it began. But this post isn't about the AMCA breach - it's that AMCA's parent company, Retrieval-Masters Creditors Bureau, is filing for Chapter 11 bankruptcy protection.
We've written about the permanent consequences that can follow non-compliant, non-secure Covered Entities or Business Associates; most recently in April when a two physician practice closed its doors following an attack that encrypted their patient's ePHI. We're writing again because this time a company that normally handles copious amounts of Covered Entity clients' information is most likely closing their doors. Notably, bankruptcy doesn't stop DoHHS from collecting monies (HIPAA Safe Issue 17) against a liquidated company's assets.
Parent company CEO Russell Fuchs filed court documents that include his admission that his company incurred “enormous expenses that were beyond the ability of the debtor to bear.” Some of the reported expenses that the company is or will endure include:
$3.8 million to mail breach notices
$400,000 to manage breach response
additional litigation from affected business partners whose information was compromised, including Quest Diagnostics (11.9 million patients), Labcorp (7.7 million patients) and Bioreference (442,000 patients)
lost business with two other of its largest client-companies
a Michigan Attorney General investigation
a federal Senate investigation
etc.
Running a HIPAA compliant and secure program that includes reasonable Business Associate due diligence remains a "pennies on the dollar" cost effective alternative to the above narrative. Whether you are a small physician practice, a large laboratory company or a collection agency, HIPAA remains a federal-law compelled program if you work with protected health information.
