law

Why Cybersecurity Matters for Collection Agencies

Handling debtor information securely isn’t just good business—it’s legally essential. For collection agencies, failing to protect sensitive debtor data can be disastrous. Here’s what agencies must know about cybersecurity and why it matters:

Compliance Isn’t Optional

Collection agencies are regulated by laws such as the Fair Debt Collection Practices Act (FDCPA) and the Gramm-Leach-Bliley Act (GLBA). These regulations demand stringent data security practices. If an agency doesn’t comply, it could face serious penalties. For example, a violation under the GLBA can lead to fines of up to $100,000 per violation for the agency, and agency officers could be personally fined up to $10,000.

Real Cyber Threats, Real Costs

Debtor data is particularly appealing to cybercriminals. It often contains Social Security numbers, bank account details, and personal contact information. A single breach can expose thousands of individuals’ sensitive data. In one notable incident, a medium-sized collection agency suffered a ransomware attack that compromised over 25,000 debtor accounts. The cost of addressing this breach—including legal fees, notification costs, and settlements—exceeded $1 million.

Protect Your Reputation

A breach doesn’t just mean financial loss; it can severely damage an agency’s reputation. Clients depend on agencies to handle debtor information responsibly. For instance, after experiencing a data leak involving debtor information, a California-based collection firm lost key contracts, amounting to nearly $500,000 in annual revenue. Effective cybersecurity shows clients and debtors alike that your agency is trustworthy and reliable.

Minimizing Risks Through Security Practices

Agencies must take proactive cybersecurity steps. Secure portals, encryption, firewalls, and two-factor authentication (2FA) are foundational security measures. Consider a situation where an employee accidentally emails debtor information without encryption. Such an incident could result in fines ranging from $5,000 to $50,000 per violation under certain state privacy laws, like the California Consumer Privacy Act (CCPA).

Be Prepared to Respond

No cybersecurity strategy is foolproof. Thus, having an incident response plan is crucial. Rapidly addressing breaches can limit damages significantly. Agencies should conduct regular cybersecurity training and periodic audits to identify potential vulnerabilities before they become expensive problems.

Security Checklist for Clients

Before sharing delinquent customer data, clients should ask collection agencies:

Do you comply fully with relevant laws such as FDCPA, GLBA, and state-specific privacy laws?
What cybersecurity measures do you have in place (encryption, Two-factor authentication, VPN, firewalls, secure portals)?
How regularly do you conduct cybersecurity training for your staff?
What is your response plan in case of a data breach?
Are you protected in case there is a mistake at their end ( Do they have a Cyber Security insurance?).

Bottom Line

Cybersecurity for collection agencies isn’t just a technical necessity—it’s a vital part of managing risk, maintaining compliance, and safeguarding both finances and reputation.

California Privacy Rights Act (CPRA) – Key Points

The California Privacy Rights Act (CPRA) is a privacy law that was approved by California voters in November 2020, and it is set to take effect on January 1, 2023, with enforcement beginning on July 1, 2023. The CPRA builds on the California Consumer Privacy Act (CCPA), which was enacted in 2018, and further enhances privacy protections for California residents. Here are some key provisions and enhancements introduced by the CPRA:

Creation of the California Privacy Protection Agency (CPPA): The CPRA establishes a new state agency, the California Privacy Protection Agency, to enforce the law, and issue regulations and guidance.
Expanded Rights of Consumers: CPRA expands the existing rights under CCPA and introduces new rights for consumers, such as the right to correct inaccurate personal information, and a broader right to opt-out of not only the sale but also the sharing of personal information for advertising and marketing purposes.
Sensitive Personal Information: The CPRA introduces a new category called “sensitive personal information” which includes precise geolocation, race, religion, biometric data, health information, and more. Consumers have the right to limit the use and disclosure of sensitive personal information.
Data Minimization and Purpose Limitation: Businesses are required to limit the collection of personal information to what is necessary for the purposes for which it was collected and must specify the purpose for collecting or using personal information.
Risk Assessments and Audits: Certain businesses must conduct regular risk assessments and submit cybersecurity audits regarding their processing of consumers’ personal information.
Increased Penalties for Violations Involving Children’s Data: The CPRA increases penalties for violations of the law that involve the personal information of minors.
Expanded Breach Liability: CPRA expands the private right of action for data breaches to include unauthorized access or disclosure of an individual’s email address combined with a password or security question and answer that would permit access to an account.
Service Providers and Contractors: CPRA imposes new obligations on service providers and contractors and requires specific contractual provisions when businesses share personal information with these parties.
Exemptions: The CPRA extends certain exemptions, such as those for business-to-business (B2B) and employee data, but they are subject to conditions.
International Data Transfers: The CPRA hints at future regulation regarding restrictions on cross-border data transfers, but the specifics have not yet been developed.

Businesses that fall within the scope of the CPRA need to ensure compliance by reviewing and updating their data protection policies, practices, and contracts. Consumers should be aware of their enhanced rights under this law and know how to exercise them.

Why New York Medical Practices Are Rethinking Their Collection Partner

New York has completely reshaped how medical and dental debt can be collected. 😟

If your current collection partner is still threatening credit reporting, talking about wage garnishments, or dragging out lawsuits, they are working off an outdated playbook—and you are the one carrying the risk.

Over the last few years, New York has:

Cut the statute of limitations for most medical debts to three years instead of six.
Banned hospitals and many providers from garnishing wages or putting liens on primary homes for medical debt judgments.
Passed a Fair Medical Debt Reporting law that effectively prohibits medical providers from reporting medical debt to credit bureaus and blocks that debt from appearing on consumer credit reports.
Tightened rules on financial assistance, interest rates, and payment caps for eligible patients.

Add strict HIPAA requirements, state and city consumer-protection rules, and new disclosure obligations, and you get a simple reality:

Collecting medical and dental debt in New York is possible—but it is not easy, and bad agencies can create more legal and reputational risk than recovery.

Nexa provides 100% reputation-safe, equipped with all 50-state collections license, offering free credit reporting, free litigation, free bankruptcy scrubs, and zero onboarding fees. Secure – SOC 2 Type II & HIPAA compliant. Over 2,000 online reviews rate us 4.85 out of 5.

Need a Collection Agency? Contact us

Why Switch? The Hidden Cost of Using the Wrong Agency

Many New York providers are still partnered with agencies that were a decent fit ten years ago, but not today. Common warning signs:

They still talk about using credit reporting as leverage, even though New York now blocks most provider-reported medical debt from credit reports.
They push long, drawn-out lawsuits, ignoring that the statute of limitations on medical debt is now only three years, and that hospitals and many providers cannot enforce medical judgments with wage garnishments or home liens.
They don’t mention New York City licensing and disclosure rules, language access requirements, or the need for a city collector’s license to collect from NYC residents.
Their scripts clearly aren’t written for a state where medical debt can no longer be used to ruin a patient’s credit score.

If your agency is still operating as if New York were any other state, you may be:

Leaving recoverable dollars on the table because they don’t understand the new rules.
Carrying more legal risk than necessary.
Spending internal time cleaning up patient complaints, regulator inquiries, and lawyer letters.

Switching to a New York–savvy partner through Nexa’s network helps you keep your legal risk low while recovering more and protect your name on Google while still getting paid.

Note: Nexa is an information portal. We don’t collect or credit-report ourselves; we connect you with vetted, HIPAA-aware agencies that understand New York.

What Has Actually Changed? A Snapshot of New York Medical Debt Rules

Here are the big shifts every New York provider should know:

Credit reporting of medical debt is heavily restricted
- New state law prevents most New York hospitals, health care professionals, and ambulance providers from reporting medical debt to credit agencies.
- Medical and many dental debts from New York providers are not supposed to appear on consumer credit reports.
- Medical charges buried inside a general credit card balance can still show up as part of that card debt—but that is fundamentally a card issue, not provider-reported medical debt.
Statute of limitations for medical debt is now three years
- The period to sue on most medical debts has been shortened from six years to three years, which dramatically narrows the window for lawsuits.
No wage garnishments or home liens for many medical judgments
- Hospitals and similar providers can no longer enforce many medical debt judgments through wage garnishment or liens on primary residences.
Stronger hospital financial assistance & consent rules
- New York requires standardized financial assistance programs, limits what hospitals can bill certain low- and middle-income patients, and caps interest rates on medical judgments for qualifying patients.
New York City–specific collection rules
- New York City requires collectors to be licensed, to provide clear language access disclosures, and, in many cases, to explain when a debt is time-barred and that medical debts cannot be reported to credit bureaus.
National trend away from medical credit reporting
- Major credit bureaus have already stopped reporting paid medical collections and medical debts under a certain threshold, and extended the waiting period for reporting larger medical debts.
- Federal regulators are pushing lenders to stop using medical bills in credit decisions, further reducing the value of “credit reporting pressure” as a tool.

All of this means: New York state policies deliberately make old-school, aggressive collection tactics less effective. The only sustainable path now is patient-centric, compliant recovery.

Recent Results: How New York–Savvy Agencies Operate

These are illustrative, fresh examples aligned with what New York–focused agencies are seeing today.

1) Manhattan Multi-Specialty Practice – Midtown, NYC
A multi-specialty group near Midtown had about $220,000 in patient balances between 90 and 180 days, with a heavy mix of high-deductible plans and self-pay accounts. Their legacy agency was still talking about “sending to credit” and filing suits four or five years after service, completely out of sync with New York’s shorter statute and credit-reporting rules.

After switching to a New York–focused partner through Nexa:

Accounts were re-aged and prioritized to stay within the three-year window.
Scripts were rewritten to emphasize financial assistance, realistic payment plans, and clear explanations, instead of threats.
Within nine months, about 41% of the assigned dollars were resolved through payments or structured plans, with noticeably fewer complaints bouncing back to the practice.

2) Brooklyn Dental Group – Family-Oriented Practice
A dental group in Brooklyn had roughly $135,000 in overdue balances, many under $1,200, from families juggling multiple visits and orthodontic treatments. Their previous agency kept hinting at credit damage, which was no longer realistic and only generated angry calls and poor reviews.

With a compliant, patient-friendly agency:

Messaging shifted to “let’s sort this out together” with flexible plans and clear breakdowns of insurance versus patient responsibility.
The agency used professional, multi-channel reminders instead of harsh threats.
Over seven months, the practice resolved about 48% of the dollars placed, saw far fewer reputation issues, and had staff spending less time apologizing for a vendor’s behavior.

These examples show that even with tight state policies, you can still recover a meaningful share of your AR—if you work with agencies that actually understand New York.

Q&A: New York Medical Collections – What Practice Managers Ask Most

Q: If medical debt can’t go on credit reports, is there any point sending accounts to collections?
A: Yes. Credit reporting was always just one tool—and often a blunt one. Recovery in New York now relies more on:

Thoughtful, timely patient outreach
Realistic payment plans and settlements
Early placement, well before the three-year mark

The right agency can still help you recover a large portion of overdue balances, even without credit reporting, while helping you keep legal risk low while recovering more.

Q: Are dental debts treated differently from medical debts?
A: In New York, most bills from licensed health-care professionals—including many dental providers—are treated similarly to medical debt for purposes of newer protections. In practical terms, that means many dental accounts are covered by the same credit-reporting bans and consumer protections as hospital bills.

Dental practices need agencies that understand how to:

Explain treatment plans and insurance gaps clearly
Segment small family balances from larger, elective or orthodontic cases
Stay firmly within HIPAA and New York consumer-protection rules

Q: What does HIPAA compliance really mean in the collection context?
A: Any agency handling your New York medical or dental accounts should:

Sign appropriate Business Associate Agreements (BAAs)
Use encrypted systems and restricted access for PHI
Train staff on “minimum necessary” disclosure when speaking with patients or authorized representatives
Avoid leaving detailed medical information in voicemails or letters

With New York regulators paying closer attention to billing and privacy, you want partners that treat HIPAA as non-negotiable, not optional.

Q: How do New York’s hospital financial assistance rules affect collections?
A: Recent laws require hospitals to have clear financial assistance programs, limit what they can bill eligible patients, and cap interest rates on many medical judgments.

Practically, this means:

More screening for assistance eligibility before and during collections
Tighter rules on what can be billed and when
More situations where a balance should be reduced, converted to charity care, or written off, instead of pursued aggressively

Agencies that don’t understand these obligations can push you into regulatory trouble very quickly.

Q: Does the shorter three-year statute of limitations really matter?
A: Absolutely. With a three-year limitation on most medical debts, waiting too long to place accounts can quietly erase your options.

A smarter approach is to:

Define clear placement triggers (for example, 90 or 120 days past due)
Ensure your agency tracks age of debt accurately
Have them flag time-barred accounts so you don’t threaten lawsuits you can’t legally file

This keeps you honest, reduces legal risk, and focuses effort where it still matters.

Q: What about lawsuits—are they still worth considering?
A: Lawsuits in New York are now more limited in value for medical debts:

The window to sue is shorter
Wage garnishments and home liens for many medical debts are restricted or banned
Courts and advocates are watching medical cases closely

That doesn’t mean legal action is never appropriate—but it should be rare, strategic, and well documented, not a default. A good agency will help you pick your spots instead of sending every file to an attorney.

Q: Where does Nexa fit into all of this?
A: Nexa is not a collection agency and doesn’t do any credit reporting. Instead, we:

Learn about your specialty, payer mix, and AR profile
Shortlist New York–licensed, HIPAA-compliant agencies that understand the state’s medical-debt reforms
Focus on partners who can stretch your internal team further without hiring extra staff, and protect your name on Google while still getting paid

You stay in control. You decide whether or not to work with the agencies we recommend.

Ready to Move On From an Agency That Hasn’t Kept Up With New York Law?

If your current vendor is still talking about old-school tactics—credit reporting threats, six-year timelines, aggressive lawsuits—you’re carrying their risk on your brand and balance sheet.

Consider switching to a partner that is built for New York’s new rules, helps you keep your legal risk low while recovering more, and protects your name on Google while still getting paid.