Cyber Incident Victim: American Medical Collection Agency
Date:
Sep 2018
Location:
United States of America
Summary
A breach at American Medical Collection Agency compromised its online payment portal over several months, exposing payment card data and sensitive personal information including Social Security numbers, dates of birth, and addresses for over 200,000 individuals. The incident was discovered through dark web monitoring revealing stolen records linked to medical financial accounts like Health Savings Accounts, which posed heightened risks due to their infrequent monitoring and potential for undetected fraudulent use. Despite notification attempts by cybersecurity analysts and law enforcement, the agency initially failed to respond or publicly acknowledge the breach, leaving its payment portal temporarily disabled without explanation before resuming operations without disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2018, unauthorized actors compromised the online payment portal of American Medical Collection Agency (AMCA), a major medical debt collection firm. The breach persisted undetected until February 28, 2019, when Gemini Advisory identified a Card Not Present (CNP) database containing stolen payment card records, dates of birth, Social Security numbers, and physical addresses listed for sale on a dark web marketplace. Analysts noted the unusual inclusion of extensive personally identifiable information (PII) alongside payment data, suggesting a compromise of an online portal requiring such details for transactions. Subsequent analysis revealed the affected financial institutions primarily managed Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs), Flexible Spending Accounts (FSAs), and Medicare Medical Savings Accounts (MSAs), indicating a medical sector breach. Gemini initially identified approximately 8,000 victims but later determined the exposure window spanned at least seven months, ultimately impacting over 200,000 individuals. On March 1, 2019, Gemini attempted to notify AMCA via phone but received no response, prompting engagement with federal law enforcement. AMCA’s payment portal became inaccessible by April 8, 2019, based on Google cache records, though the exact takedown date remained unclear. The portal resumed operations weeks later without any public breach notification or reference to the incident on AMCA’s website or the HHS breach portal.
The compromised data posed heightened risks due to the nature of medical financial accounts. HSAs and similar accounts, often linked to specialized debit cards, were particularly vulnerable as account holders typically use them infrequently to accumulate funds for future medical expenses or retirement, reducing routine monitoring for fraudulent activity. This infrequent oversight increased the likelihood of delayed fraud detection and potential financial losses for victims. The breach exposed victims not only to payment card fraud but also to identity theft given the inclusion of SSNs and DOBs. AMCA provided no public statements regarding breach notifications, HIPAA compliance obligations, or remediation efforts despite inquiries from Gemini Advisory and DataBreaches.net. The lack of disclosure raised questions about potential legal liabilities, including lawsuits from affected individuals whose medical debts AMCA was attempting to collect. Financial institutions confirmed the link between the stolen data and AMCA’s systems, corroborating Gemini’s findings. The incident highlighted operational security gaps, as the prolonged exposure period and delayed external detection suggested insufficient monitoring of AMCA’s payment infrastructure.