Patients whose personal and medical data were exposed in the 2019 breach at American Medical Collection Agency can now file claims for automatic payments of $50 or seek up to $5,000 in documented losses, with a September 3 deadline to act. Labcorp, one of the largest laboratory networks in the country, agreed to pay $35 million to resolve the class action consolidated under MDL 2904 in the U.S. District Court for the District of New Jersey. The settlement follows a multistate investigation by a bipartisan coalition of 41 attorneys general who found that AMCA, operating as Retrieval-Masters Creditors Bureau, failed to protect sensitive patient records entrusted to it by major health care companies.
Why the $35 million AMCA settlement demands attention now
The claims window is open and shrinking. Affected patients face a hard September 3 cutoff to choose between two tiers of compensation. The first tier offers a flat $50 payment with minimal paperwork. The second tier allows claims of up to $5,000 but requires documentation of out-of-pocket costs tied to the breach, such as credit monitoring fees, fraudulent charges, or time spent correcting records. That gap creates a practical test: how many people will settle for the automatic payout versus assembling proof of real losses? Future court status reports in the MDL 2904 docket could reveal whether the tiered model concentrates payouts among a small group of high-loss claimants or distributes the fund broadly across tens of thousands of low-effort filings.
The stakes extend beyond individual checks. AMCA handled billing collections for Labcorp, Quest Diagnostics, and other health care providers, meaning the breach touched patients who may not have known a third-party contractor held their Social Security numbers, payment card details, and medical information. The settlement signals that labs and health systems bear financial consequences when their vendors mishandle data, even if the vendor, not the lab, suffered the intrusion. For patients, the case underscores the importance of monitoring credit reports and insurance explanations of benefits for unusual activity, even when they have never heard of the company that actually lost their data.
Because the settlement fund is finite, participation rates will directly influence how much each claimant ultimately receives. If relatively few people file, those who do may obtain the full advertised amounts. If claims are heavy, payments could be reduced on a pro rata basis. That uncertainty adds urgency for affected patients who qualify but have not yet decided whether to pursue the more demanding documentation route or accept the simpler $50 option.
How 41 attorneys general built the case against AMCA
The enforcement action traces back to June 3, 2019, when AMCA notified state authorities that an unauthorized user had accessed its internal systems for months. A bipartisan coalition of attorneys general launched a joint investigation into AMCA’s security practices and concluded that the company had failed to implement adequate safeguards before and during the breach. Investigators found deficiencies in basic controls such as network monitoring, password management, and timely detection of suspicious activity, all of which allowed the intrusion to continue undetected while attackers probed databases containing highly sensitive health and financial information.
The resulting agreement with the states required AMCA to overhaul its data protection protocols and submit to independent oversight. Among other measures, the company must maintain a comprehensive information security program, conduct regular risk assessments, and provide detailed reports to regulators for a set period. These obligations are designed not only to prevent a repeat incident at AMCA, but also to send a message to other collection agencies and vendors that handle protected health information on behalf of hospitals and laboratories.
On the federal side, affected patients consolidated their claims into a single multidistrict litigation proceeding. The case, formally titled American Medical Collection Agency, Inc., Customer Data Security Breach Litigation, is docketed as MDL 19-md-2904 in the District of New Jersey. That docket contains the settlement approval filings, class definitions, and compensation schedules that govern who qualifies and how much they can receive. Labcorp’s $35 million commitment represents the largest single payment tied to the breach, reflecting the company’s role as one of AMCA’s highest-volume clients and the scale of the data it turned over for collections.
Open questions about claim rates and long-term accountability
Even with the settlement in place, critical questions remain about how many of the millions of affected patients will actually participate. Data breach settlements routinely see low claim rates, especially when victims are unaware that their information was compromised or doubt that small payments justify the effort. Here, the presence of a $50 automatic option could nudge more people to file, but the requirement to act by September 3 may still limit response.
Another unresolved issue is whether the combination of state enforcement and civil litigation will meaningfully change vendor oversight in health care. Labs and hospitals may now be more inclined to demand detailed security audits, contractual breach notification timelines, and cyber insurance coverage from third-party collectors. Yet those measures depend on sustained attention from executives long after headlines fade. Regulators can help maintain pressure by continuing to scrutinize vendors that appear in multiple breach reports and by using tools such as the New York registry search and similar databases to track entities that operate across state lines.
For individual patients, the AMCA case illustrates both the limits and the value of post-breach remedies. No settlement can fully unwind the exposure of Social Security numbers or medical details that may circulate on illicit markets for years. However, monetary relief can offset some immediate costs, and court-ordered security improvements may reduce the risk of future incidents involving the same vendors. As the September 3 deadline approaches, the ultimate measure of this settlement’s impact will be how many people claim the relief they are owed and whether health care organizations translate this costly lesson into stronger protections for the next generation of patients.
