“Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again,” James said in a press release on Thursday.
Between August 2018 and March 2019, an unauthorized user gained access to American Medical Collection Agency’s (AMCA) computers, despite multiple warnings of a potential breach from banks that processed payments to the company, the release said.
The settlement with 41 state attorneys general requires AMCA to implement a series of security practices that include hiring both a qualified chief information security officer and a third-party assessor to perform a security assessment, the release added.
ACAM would also be subject to a $21 million penalty for violating the agreement, according to the release.