Scroll Top

Bankruptcy after Data Breach – a GDPR lesson best learned from others


Bankruptcy after Data Breach

– a GDPR lesson best learned from others –

The American Medical Collections Agency’s parent company applies for Chapter 11 bankruptcy. Let’s update you on a story we covered a couple of weeks ago: the American Medical Collections Agency’s data breach. At the time we opined that AMCA ought to be the one using this security gaffe– not simply LabCorps and Quest. Now, simply two weeks later, the AMCA’s moms and dad business, Retrieval-Masters Creditors Bureau, is filling for Chapter 11 personal bankruptcy.

We talk all the time about the effects that can come with a data breach, the compliance penalties, the financial repercussions– the loss of confidence in your business. This is an ideal example. AMCA is a sub-brand of Retrieval-Masters, however, this impacts the whole business. So, today we’re going to talk a bit about AMCA, Chapter 11 bankruptcy and what this all means. Let’s hash it out.


on-demand GDPR Services

A Partner You Can Depend on to Help Your Organisation Meet GDPR Compliance. Industry leaders. Award-winning experience. All you need to know, to keep your business safe.

What happened with AMCA?
Simply a quick reminder: The AMCA suffered a huge data breach that affected customers at 2 of the United States’ most significant lab screening companies: Mission and LabCorps. It also impacted some of its lesser-known testing companies, too: BioReference Laboratories, CareCentrix and Sunrise Labs.

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” a spokesperson for AMCA said at the time.

As the name recommends, the AMCA handles billing for the previously mentioned laboratory testing companies. Particularly collections. When you don’t pay on time, the AMCA is who harasses you. The breach happened since hackers were able to get into the AMCA’s web payment portal and gain access to company databases filled with clients’ personal data and payment information. Over 20-million consumers were impacted. And due to the fact that of HIPAA reporting requirements, the 2 lab companies both needed to make disclosures. Given their name acknowledgement, it was LabCorps and Mission who made the headlines, while AMCA usually came into the story a few paragraphs down. Now, karma is back.



Compliant and sustainable long-term GDPR operational behaviour. Have a rock-solid foundation for privacy procedures and GDPR mandate compliance.

What is Chapter 11 Insolvency?
First things first: Retrieval-Masters isn’t going out of business. It’s not shutting down. At least not right now. You likely still owe them some money (that they’re now going to be much more intent on collecting). What Chapter 11 insolvency does: it allows a business to “restructure” and to keep their company alive and pay their financial institutions in time. Much like there was an abundant paradox in Equifax getting its credit ranking lowered, there’s also a degree of schadenfreude in seeing a debt collection agency required to restructure its debts. Generally, Chapter 11 bankruptcies begin with the filing of a petition to the appropriate personal bankruptcy court in the company’s jurisdiction.

Retrieval-Masters/AMCA was running up one hell of an expense!
Let’s begin by talking about just how much money passes through the AMCA each year: “over $1 billion in yearly receivables …”. Clearly, they don’t get to keep all that, however, it’s still a considerable big figure to indicate just how costly this was for the collections agency. The examination into the incident expenses $400,000 and it cost an extra $3.8-million to send all of the required notices to clients. That’s over $4.2-million dollars simply reporting it. That was enough to force Retrieval Masters to leverage most of its existing possessions in order to get a loan that it need to now pay back.

Then you have inbound compliance and regulative charges that will total in the millions, plus there have currently been a set of class action suits submitted. Also, the overall variety of affected customers continues to grow by the day, which in turn beckons a lot more claims. It was enough of an existential hazard that Retrieval-Masters decided to take drastic action.


on-demand GDPR Services

A Partner You Can Depend on to Help Your Organisation Meet GDPR Compliance. Industry leaders. Award-winning experience. All you need to know, to keep your business safe.

Let’s look at a few of the other effects from its filing with the Southern District of New York:

Lost Business
Most critically, as a result of the discovery of the data breach and its aftermath, the Debtor suffered a severe drop-off in its business. Almost immediately upon learning of the breach, LabCorp unqualifiedly and indefinitely terminated its relationship with the Debtor. Soon after, Quest Diagnostics, Conduent, Inc., and CareCentrix, Inc. which together with LabCorp were the Debtor’s four largest clients, stopped sending new work to the Debtor, and all terminated or substantially curtailed their business relationships with the Debtor.

Borrowing money to send notifications
This required more liquidity than the Debtor had available. As a result, and in order to ensure that appropriate notice of the data breach was provided to all individuals possibly affected, the Debtor obtained a secured loan from my personal funds in the amount of $2.5 million, which together with existing cash-on-hand was sufficient to fund mailing of the notices.

Mass Layoffs
In the wake of all the foregoing, including the loss its largest clients, the Debtor also had no choice to substantially reduce its workforce, from 113 employees at year-end 2018, to just 25 as of the Petition Date. The Debtor no longer is optimistic that it will be able to rehabilitate its business.

Asking permission to pay your own employees
The Debtor seeks authority from the Court to pay prepetition employee wages and satisfy related benefit obligations in the ordinary course. The Debtor’s employees perform a wide variety of functions which will be critical to the administration of the Debtor’s chapter 11 case. Without their continued, uninterrupted services, the ability of the Debtor to maintain and administer its estate will be materially impaired.

Winding down business operations
Accordingly, the Debtor has filed the instant chapter 11 petition in order to allow it the breathing room to appropriately evaluate its pool of remaining assets and liabilities, cost-effectively respond to regulatory demands, and ultimately, to the wind-up of its business in an orderly fashion through a liquidating chapter 11 plan.

Based on the available information, Retrieval-Masters would classify as a small business in the US. Again, we discuss all the time how much more dangerous these kinds of security threats are to SMBs. This is a perfect study case. Don’t let cybersecurity and lack of compliance be your company’s ultimate, but a sudden end.

data protection OFFICER

Identify high-risk problems. Taking access and rights management into serious consideration is the foundation for a safely guarded online presence throughout your domain.

Do you have any questions about our GDPR Service or related to GDPR Services in general? Leave your thoughts about these Private Data breaches in the comments below!