Cybersecurity

Democratic senators press third party involved in Quest Diagnostics, LabCorp data breach

Democratic Sens. Cory Booker (N.J.) and Bob Menendez (N.J.) are demanding answers from the third-party billing collection group at the center of a data breach that exposed information on almost 20 million patients.

The data breach involved an unauthorized user gaining access to the system of the American Medical Collection Agency (AMCA), the billing collection company used by Quest Diagnostics and LabCorp.

{mosads}Quest announced earlier this week that the breach led to the exposure of 11.9 million patients’ data, and LabCorp said 7.7 million of its patients had their information compromised. The exposed information included Social Security numbers and financial and medical data.

In a Friday letter to AMCA President Russell Fuchs, the two senators criticized the company’s approach to data security, and asked for details about how the breach occurred and what steps the AMCA will take to prevent additional breaches.

“We must ensure that entities with access to patients’ personal, medical, and financial information understand their heightened duty to protect both the patient and their sensitive information, and that your company is taking both immediate and long-term steps to mitigate any harm,” the senators wrote. 

The letter came a day after a third company, Opko Health, revealed that the AMCA data breach exposed the personal information of more than 400,000 of its patients.

In a filing to the Securities and Exchange Commission, Opko Health said the breach exposed patient names, dates of birth, phone numbers and account balance information. 

AMCA told Opko that it is sending notices to 6,600 Opko patients whose credit card or bank account information was stored in its system.

Opko, like Quest and LabCorp, said it has stopped sending billing requests to AMCA.

Friday’s letter to the AMCA follows similar inquiries from Booker and Menendez to Quest and LabCorp. Sen. Mark Warner (D-Va.) also sent a letter to Quest this week seeking more information about the breach.

Neither Quest nor LabCorp responded to requests for comment.

Booker and Menendez gave AMCA, Quest and LabCorp until June 14 to respond, while Warner asked Quest to respond “in the next two weeks.”

A spokesperson for Menendez told The Hill on Thursday that the senator is considering changes to an existing bill on consumer data privacy and security to reflect challenges posed by attacks on the health care industry.