Briefing: Cascading events from a data breach incident leading to bankruptcy
What is happening?
Retrieval-Masters Creditors Bureau Inc. (RMCB) is a third-party debt recovery agency that acts under the name American Medical Collection Agency (AMCA) to collect patient receivables for businesses in the medical and healthcare sector. According to AMCA’s official webpage, their service has been engaged by laboratories, hospitals, physician groups, billing services and medical providers across the US and manages “more than $1 billion in annual receivables”.
In essence, AMCA provides a web payment portal to help businesses bill their medical customers and therefore have access to and hold substantial volumes of confidential data.
The names that stood out in AMCA’s list of clients are their four largest clients, Quest Diagnostics Inc., LapCorp, Conduent Inc. and CareCentrix Inc., who have all stopped their business with AMCA following a disastrous data breach incident that affected millions of people.
The data breach incident in question, allegedly involved months-long of unauthorised activities on AMCA’s web payment portal between August 2018 and March 2019 and went unnoticed until a disproportionate number of credit cards that interacted with the company’s web payment portal were linked to fraudulent transactions. The data breach also created a cascade of events that led to millions of customer credit card and banking details, Social Security numbers and medical information being advertised for sale on some internet forums, and eventually leading to AMCA filing for bankruptcy.
The bankruptcy filing also adds that the data breach “resulted in enormous expenses that were beyond the ability of the Debtor to bear”. This included cybersecurity bills of approximately USD $400k, IT support costs, upgrade costs to prevent AMCA’s network from further intrusion, impending court cases and loss of valuable business partners. Moreover, AMCA has been forced to inform over seven million people who have been potentially impacted by the breach via mail, which costs the business over USD $3.8M.
So what does this mean for other businesses?
Businesses are held responsible for their customers’ data and severe penalisation and legal consequences will ensue should the court find negligence by the business when it comes to data governance and protection.
As we slowly transition into the big data era, many businesses are undertaking digital transformation and leveraging data to drive business value. Whether the data sits within the business in its entirety or partly outsourced to a third-party processor, the impact we have seen on AMCA as a result of data breaches, privacy violations and other negligence around data security is a wakeup call for businesses to have a fundamental mentality shift when it comes to data asset management and to review their risk profiles with existing operations.
In Hong Kong, we have the Personal Data (Privacy) Ordinance, otherwise known as the PDPO that outlines the expectations the government has for businesses regarding dealing with sensitive information of their clients and customers. Hong Kong also has the Privacy Commissioner for Personal Data (PCPD) which is an independent statutory body set up to oversee the enforcement of the PDPO. However, despite having these guardrails in place, Hong Kong has seen a record number of data breaches in 2018, totalling at 129 incidences and the numbers are expected to increase in 2019. This coupled with a major data breach incident with Hong Kong airline Cathay Pacific which compromised the personal information of over 9.4 million customers, has prompted the PCPD to kick off a series of discussions with the government regarding reforms to provide greater powers to the PCPD to penalise data breaches and regulations on data users, including holding businesses to a higher ethical standard in data stewardship.
To ensure businesses comply with the latest regulations and laws on data governance and privacy, businesses may engage with third party auditing firms to receive advice and feedback on their current processes and internal policies.
And this is where we come in.
At Aurum (Data Governance) Consultancy, our mission is to mitigate the compliance and technological risks for businesses of those undertaking the course of digital transformation. Our ADG Transformation X package provides the following:
· Compliance and Risk Impact Audit - we advise businesses on their operation, product and/or service in terms of the risk of non-compliance of data protection and cyber-security risk.
· Data Governance Design & Architecture - we help businesses to build and implement programmes which would enhance their data protection framework, and help businesses to draft up policies, procedures and guidelines to mitigate the risks.
· Monitoring - we monitor the ever-changing regulatory landscape on behalf of our clients and to continue to help their businesses to update their data protection framework, so that they are not exposed to vulnerabilities and threats in terms of compliance and risk issues.
Separate to the above, Aurum (Data Governance) Consultancy also organises and provides data protection and governance training and workshops to assist professionals, businesses and communities interested in digital transformation.
Why choose Aurum?
At Aurum (Data Governance) Consultancy, our consultants boast years of experience in both legal and technology sectors across the globe. We value our relationship with our clients and place the needs of clients as our highest priority. We are proud of our work ethic and focus on being simpler, better and smarter than our competitors.
Please reach out to email@example.com or Tel: +852 3725 4806.