Senators query diagnostics companies victimized by data hacks

A hack of healthcare data involving a medical bill collector and two major diagnostics companies is now attracting more questions from key members of Congress.

American Medical Collection Agency, an Elmsford, N.Y.-based collections firm, has now been identified by two large diagnostics companies as the victim in a large healthcare data breach. On Tuesday, Laboratory Corporation of America—widely known as LabCorp—reported that 7.7 million patients’ accounts at AMCA were stored in the vulnerable computer system. The disclosure follows a similar warning by Quest Diagnostics that 11.9 million people were exposed.

The exposed data includes names, dates of birth, addresses, financial and other personal information. LabCorp didn’t provide AMCA with any ordered test, diagnostic information or test results, the company said in a securities filing. Quest said in a statement that the hack may have included unspecified medical information, but not test results.

Three senators, including New Jersey Democrats Bob Menendez and Cory Booker, and Mark Warner, a Virginia Democrat, wrote Quest on Wednesday asking about the breach. Warner, a leading cybersecurity advocate in Congress, said in his letter to Quest that contractors like AMCA were a frequent target.

warner-mark-blmg-0909.jpg

“I am concerned about your supply chain management, and your third party selection and monitoring process,” Warner said in the letter to Quest Chief Executive Officer Stephen Rusckowski. Quest and LabCorp have both said they haven’t gotten a full accounting of the breach by AMCA.

In a separate letter, Menendez and Booker demanded that Secaucus, N.J.-based Quest provide a detailed timeline of the breach and the company’s reaction to it, including what steps it has taken the company has taken to limit patient harm.

Medical records are frequent targets because they contain a rich tapestry of information that can be used for identity theft. One of the largest health-related hacks was a 2015 breach at insurer Anthem, in which records for about 80 million people were exposed. A Chinese citizen was indicted by U.S. authorities last month concerning that hack.

AMCA has said that it’s investigating the breach and has informed law enforcement. In a statement Wednesday, it said that it isn’t at liberty to disclose the names of companies affected “due to client confidentiality concerns.”

AMCA’s website indicates that it sends out 1.4 million letters per month, makes hundreds of thousands of collections calls per day and has worked with at least 25 million people. The website says it has expertise working with clinical labs, hospitals and physician groups.

“It is expected that any organization that uses AMCA for collections would be impacted by this breach,” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, a computer security firm, said in an email. Hahad said that AMCA’s website had lacked some basic protections.

On Wednesday, AMCA said through an outside spokesman that it will provide credit monitoring to people whose Social Security numbers or credit card accounts were compromised.