Democratic senators seek answers from Quest Diagnostics after data breach

Democratic senators seek answers from Quest Diagnostics after data breach
© Anna Moneymaker

Democratic Sens. Bob MenendezRobert (Bob) MenendezForeign Relations Democrat calls on Iran to release other American prisoners GOP senator blocks Armenian genocide resolution The job no GOP senator wants: 'I'd rather have a root canal' MORE (N.J.) and Cory BookerCory Anthony BookerSanders urges impeachment trial 'quickly' in the Senate Steyer rolls out 5B plan to invest in historically black colleges The great AI debate: What candidates are (finally) saying about artificial intelligence MORE (N.J.) want answers from blood-testing company Quest Diagnostics following a recent data breach that exposed the personal information of an estimated 12 million patients, as another firm revealed that it also had medical data exposed by the incident.

The breach involved an unauthorized user gaining access to the American Medical Collection Agency (AMCA), a billing provider for Quest, potentially compromising Social Security numbers, financial information and personal medical data.


In a Wednesday letter sent to New Jersey-based Quest, the two senators sought details about how the breach occurred and what steps are being taken in response. They specifically took issue with news reports saying it took seven months for the company to publicly disclose the hack.

“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” Menendez and Booker wrote. “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”

The senators said they want to ensure that companies with access to patient data understand how to protect that information. They gave Quest until June 14 to respond to their questions about the timeline of the breach and how the company previously protected its systems.

Sen. Mark WarnerMark Robert WarnerTikTok chief cancels Capitol Hill meetings, inflaming tensions Watchdog report finds FBI not motivated by political bias in Trump probe Ex-Rep. Scott Taylor to seek old Virginia seat MORE (D-Va.) separately wrote a letter to Quest on Wednesday also demanding answers about the data breach, and criticized the company for failing to protect its patients' personal information.

“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process," Warner wrote to Quest. He added that he expects a response to his questions around how the breach occurred within the next two weeks.

The letters were sent on the heels of a disclosure that another blood testing company, LabCorp, was also impacted by the AMCA data breach.

In a Tuesday filing to the Securities and Exchange Commission, LabCorp reported that the personal information of 7.7 million of its customers was exposed to the same unauthorized user. LabCorp said it was informed by AMCA that the data were exposed between August 2018 and March of this year.

“AMCA’s affected system included information provided by LabCorp,” the company wrote in the SEC filing. “That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA.”

LabCorp said ACMA is in the process of sending notifications to 200,000 of the 7.7 million patients, letting them know that their credit cards and banking information may have been compromised, but that ACMA has not provided LabCorp with a full list of names of the LabCorp customers affected.

LabCorp wrote that it has stopped sending new billing collection requests to ACMA in response to the breach, the same step Quest took earlier this week.

--This report was updated at 1:51 p.m.