Democratic senators seek answers from Quest Diagnostics after data breach

Democratic senators seek answers from Quest Diagnostics after data breach
© Anna Moneymaker

Democratic Sens. Bob MenendezRobert (Bob) MenendezMedia's selective outrage exposed in McSally-Raju kerfuffle Dem senators say Iran threat to embassies not mentioned in intelligence briefing Overnight Defense: Iran crisis eases as Trump says Tehran 'standing down' | Dems unconvinced on evidence behind Soleimani strike | House sets Thursday vote on Iran war powers MORE (N.J.) and Cory BookerCory Anthony BookerSenate Dems to Pompeo: Comments about NPR reporter 'insulting and contemptuous' Black caucus in Nevada: 'Notion that Biden has all of black vote is not true' The Hill's 12:30 Report: House managers to begin opening arguments on day two MORE (N.J.) want answers from blood-testing company Quest Diagnostics following a recent data breach that exposed the personal information of an estimated 12 million patients, as another firm revealed that it also had medical data exposed by the incident.

The breach involved an unauthorized user gaining access to the American Medical Collection Agency (AMCA), a billing provider for Quest, potentially compromising Social Security numbers, financial information and personal medical data.


In a Wednesday letter sent to New Jersey-based Quest, the two senators sought details about how the breach occurred and what steps are being taken in response. They specifically took issue with news reports saying it took seven months for the company to publicly disclose the hack.

“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” Menendez and Booker wrote. “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”

The senators said they want to ensure that companies with access to patient data understand how to protect that information. They gave Quest until June 14 to respond to their questions about the timeline of the breach and how the company previously protected its systems.

Sen. Mark WarnerMark Robert WarnerDemocrats worry Trump team will cherry-pick withheld documents during defense Commerce Department withdraws Huawei rule after Pentagon pushback: reports  Hillicon Valley — Presented by Philip Morris International — Bezos phone breach raises fears over Saudi hacking | Amazon seeks to halt Microsoft's work on 'war cloud' | Lawmakers unveil surveillance reform bill MORE (D-Va.) separately wrote a letter to Quest on Wednesday also demanding answers about the data breach, and criticized the company for failing to protect its patients' personal information.

“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process," Warner wrote to Quest. He added that he expects a response to his questions around how the breach occurred within the next two weeks.

The letters were sent on the heels of a disclosure that another blood testing company, LabCorp, was also impacted by the AMCA data breach.

In a Tuesday filing to the Securities and Exchange Commission, LabCorp reported that the personal information of 7.7 million of its customers was exposed to the same unauthorized user. LabCorp said it was informed by AMCA that the data were exposed between August 2018 and March of this year.

“AMCA’s affected system included information provided by LabCorp,” the company wrote in the SEC filing. “That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA.”

LabCorp said ACMA is in the process of sending notifications to 200,000 of the 7.7 million patients, letting them know that their credit cards and banking information may have been compromised, but that ACMA has not provided LabCorp with a full list of names of the LabCorp customers affected.

LabCorp wrote that it has stopped sending new billing collection requests to ACMA in response to the breach, the same step Quest took earlier this week.

--This report was updated at 1:51 p.m.