A hack of health care data involving a medical bill collector and two major diagnostics companies has grown to almost 20 million people, and is now attracting more questions from key members of Congress.
American Medical Collection Agency, an Elmsford, New York-based collections firm, has now been identified by two large medical companies as the victim in a large health care data breach. On Tuesday, Laboratory Corporation of America Holdings said that 7.7 million patients’ accounts at AMCA were stored in the vulnerable computer system. The disclosure follows a similar warning by Quest Diagnostics Inc. that 11.9 million people were exposed.
The exposed data includes names, dates of birth, addresses, financial and other personal information. LabCorp didn’t provide AMCA with any ordered test, diagnostic information or test results, the company said in a securities filing. Quest said in a statement that the hack may have included unspecified medical information, but not test results.
Three senators, including New Jersey Democrats Bob Menendez and Cory Booker, and Mark Warner, a Virginia Democrat, wrote Quest on Wednesday asking about the breach. Warner, a leading cybersecurity advocate in Congress, said in his letter to Quest that contractors like AMCA were a frequent target.
“I am concerned about your supply chain management, and your third party selection and monitoring process,” Warner said in the letter to Quest Chief Executive Officer Stephen Rusckowski. Quest and Laboratory Corporation have both said they haven’t gotten a full accounting of the breach by AMCA.
In a separate letter, Menendez and Booker demanded that Secaucus, New Jersey-based Quest provide a detailed timeline of the breach and the company’s reaction to it, including what steps it has taken the company has taken to limit patient harm.
Medical records are frequent targets because they contain a rich tapestry of information that can be used for identity theft. One of the largest health-related hacks was a 2015 breach at insurer Anthem Inc., in which records for about 80 million people were exposed. A Chinese citizen was indicted by U.S. authorities last month over the hack.