LAS VEGAS (KLAS) — A data breach that exposed the personal information of 345,447 Nevadans — and more than 7 million nationwide — has led to a settlement with a debt collection company.

Nevada Attorney General Aaron D. Ford announced Thursday that Retrieval-Masters Creditors Bureau d/b/a/ American Medical Collection Agency (AMCA) has agreed to the settlement with 41 states.

AMCA filed for bankruptcy protection in the weeks that followed the June 3, 2019, disclosure of the breach. AMCA ultimately received permission from the bankruptcy court to settle the case, and on Dec. 9, 2020, filed for dismissal of the bankruptcy.

Under terms of the settlement, AMCA and its principals have agreed to implement and maintain stronger data security practices including:

  • Creating and implementing an information security program with detailed requirements, including an incident response plan
  • Employing a duly qualified Chief Information Security Officer
  • Hiring a Third-Party Assessor to perform an information security assessment Cooperating with the Attorneys General with investigations related to the data breach and maintaining evidence

If these conditions are not met, AMCA could be held liable for a $21 million payment.

Thursday’s announcement said the data breach potentially exposed the personal information of up to 21 million individuals across the nation.

An unauthorized user gained access to AMCA’s internal system from Aug. 1, 2018, through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.

“Debt collectors, particularly those with consumers’ health information, have a duty to uphold the promise to keep consumers’ data safe from unauthorized access,” Ford said. “My office will continue to make sure that those who have access to Nevadans’ personal and financial information maintain the security standards necessary to keep that data from being exposed.”

In addition to Nevada, other states participating in the coalition includes: Arizona, Arkansas, Connecticut, Colorado, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and West Virginia.