Democratic Sens. Bob MenendezRobert (Bob) MenendezUS maintains pressure on Russia amid concerns of potential Ukraine invasion Dems block Cruz's Nord Stream 2 sanctions bill Overnight Defense & National Security — Differences remain between NATO, Russia MORE (N.J.) and Cory BookerCory BookerDespite Senate setbacks, the fight for voting rights is far from over Small ranchers say Biden letting them get squeezed Democrats call on Biden administration to ease entry to US for at-risk Afghans MORE (N.J.) want answers from blood-testing company Quest Diagnostics following a recent data breach that exposed the personal information of an estimated 12 million patients, as another firm revealed that it also had medical data exposed by the incident.
The breach involved an unauthorized user gaining access to the American Medical Collection Agency (AMCA), a billing provider for Quest, potentially compromising Social Security numbers, financial information and personal medical data.
In a Wednesday letter sent to New Jersey-based Quest, the two senators sought details about how the breach occurred and what steps are being taken in response. They specifically took issue with news reports saying it took seven months for the company to publicly disclose the hack.
“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” Menendez and Booker wrote. “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”
The senators said they want to ensure that companies with access to patient data understand how to protect that information. They gave Quest until June 14 to respond to their questions about the timeline of the breach and how the company previously protected its systems.
Sen. Mark WarnerMark Robert WarnerCIA says 'Havana syndrome' unlikely a result of 'worldwide campaign' by foreign power Schumer opted for modest rules reform after pushback from moderates Biden moves to boost security of sensitive national security systems MORE (D-Va.) separately wrote a letter to Quest on Wednesday also demanding answers about the data breach, and criticized the company for failing to protect its patients' personal information.
“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process," Warner wrote to Quest. He added that he expects a response to his questions around how the breach occurred within the next two weeks.
The letters were sent on the heels of a disclosure that another blood testing company, LabCorp, was also impacted by the AMCA data breach.
In a Tuesday filing to the Securities and Exchange Commission, LabCorp reported that the personal information of 7.7 million of its customers was exposed to the same unauthorized user. LabCorp said it was informed by AMCA that the data were exposed between August 2018 and March of this year.
“AMCA’s affected system included information provided by LabCorp,” the company wrote in the SEC filing. “That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA.”
LabCorp said ACMA is in the process of sending notifications to 200,000 of the 7.7 million patients, letting them know that their credit cards and banking information may have been compromised, but that ACMA has not provided LabCorp with a full list of names of the LabCorp customers affected.
LabCorp wrote that it has stopped sending new billing collection requests to ACMA in response to the breach, the same step Quest took earlier this week.
--This report was updated at 1:51 p.m.