Attorney General Phil Weiser announces multistate settlement in data breach that exposed the personal information of tens of thousands of Coloradans

March 11, 2021 (DENVER)—Attorney General Phil Weiser today announced that Colorado, as part of a coalition of 41 attorneys general, has concluded a multistate investigation into a 2019 data breach that exposed the personal information of over 7 million people, including 148,892 Colorado residents.

Retrieval-Masters Creditors Bureau is a debt collection agency. Under the name American Medical Collection Agency, or AMCA, the company specialized in small balance medical debt collection primarily for laboratories and medical testing facilities. An unauthorized user gained access to AMCA’s internal system from Aug. 1, 2018, through March 30, 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments. The unauthorized user was able to collect a wide variety of personal information, including Social Security numbers, payment card information, and, in some instances, names of medical tests and diagnostic codes.

“Companies must take seriously their responsibility to protect consumers’ personal information,” said Weiser. “Failure to do so can have life-altering consequences for people who may not know they were exposed to potential identity theft. We will continue to hold businesses accountable for protecting Coloradans’ personal information.”

On June 3, 2019, AMCA provided notice to many states and began providing notice to over 7 million affected individuals that included an offer of two years of free credit monitoring. On June 17, 2019, because of the costs associated with providing notification and remediating the breach, AMCA filed for bankruptcy. The multistate coalition participated in all bankruptcy proceedings through the attorneys general of Indiana and Texas. The company ultimately received permission from the bankruptcy court to settle with the multistate, and on December 9, 2020, filed for dismissal of the bankruptcy.

As part of the settlement, AMCA may be liable for a $21 million total payment to the states. Because of AMCA’s financial condition, that payment is suspended unless the company violates certain terms of the settlement agreement.

Under the terms of the settlement, AMCA agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

Colorado law requires certain persons and entities to take reasonable steps to protect personal identifying information. For more information about Colorado’s data protection laws, go to coag.gov/resources/data-protection-laws/.

###

Media Contact

Lawrence Pacheco

Director of Communications

(720) 508-6553 office | (720) 245-4689 cell

Lawrence.pacheco@coag.gov

Most Recent

Attorney General Phil Weiser helps secure over $200 million from Gilead Sciences for paying illegal kickbacks

July 15, 2025 (DENVER) – Attorney General Phil Weiser today joined a bipartisan coalition of 48 other attorneys general in securing $202 million from Gilead Sciences, Inc. for running an illegal kickback scheme to promote its HIV medications. Colorado will […]

Attorney General Phil Weiser, multistate coalition call on Congress to end use of masked agents in ICE arrests

July 15, 2025 (DENVER) — Attorney General Phil Weiser today joined a coalition of 21 state attorneys general in calling on Congress to prohibit the use of masked and plainclothes federal agents during immigration enforcement operations. In a letter to […]

Attorney General Phil Weiser helps lead lawsuit against Trump administration for freezing $6.8 billion in education funding just weeks before school year start

July 14, 2025 (DENVER) – Attorney General Phil Weiser today sued the Trump administration over its unconstitutional, unlawful, and arbitrary decision to freeze $80 million in federal funding for Colorado schools and students. On June 30, the Office of Management and Budget […]