Quest, LabCorp breaches face state and federal review

Attorneys general from three states are pledging investigations of the breach at American Medical Collection Agency, believed to have exposed personal information of 20 million patients.

Attorneys General Dana Nessel of Michigan, Kwame Raoul of Illinois and William Tong of Connecticut are investigating the data breach at AMCA, which affected the data of of nearly 12 million patients of Quest Diagnostics and 7.7 million patients of Laboratory Corporation of America (LabCorp).

The state officials have issued letters to AMCA, Quest, and LabCorp requesting additional information about the incident. The breach resulted from malicious activity on the payment page of AMCA’S website. AMCA is a third-party collection vendor for the medical testing companies.

“This data breach is yet another example of how fragile our information infrastructure is and how vulnerable all of us are to cyber hacking,” says Nessel. “Here in Michigan, we continue to rely on media reports that alert us to these situations because, unlike most states, we have no law on the books that requires our office to be notified when a breach occurs.”

“Sensitive personal information of millions of patients may have been compromised, and I am deeply concerned about the adequacy of the plans in place to notify and protect all affected individuals. It is important to determine the cause of this serious data breach and what steps these companies are taking to ensure this does not happen again,” Tong says.

Nessel-Dana-CROP.jpg

Members of Congress also are asking questions as senators Bob Menendez (D-N.J.), Cory Booker (D-N.J.) and Mark Warner (D-Va.) have contacted Quest and LabCorp to get more information on their data security practices.

“The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises,” Menendez and Booker wrote to Quest. “Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”

Also See: Premera agrees to $74M settlement for 2014 data breach

At the state level, Raoul and Tong are requesting each company provide the total number of residents in Illinois, Connecticut and nationwide affected by the breach; a breakdown of the categories of personal information compromised; and information describing how the companies intend to inform and protect impacted residents.

Raoul and Tong also are seeking the facts and circumstances surrounding the breach, measures the companies had in place to protect patient data privacy, and plans to prevent a future breach.

Patients who may have been affected by the breach should receive notification from one of the companies involved, as well as information detailing additional steps they should take.

Raoul encourages patients concerned that their personal information has been compromised to consider requesting a free security freeze from the three credit reporting agencies—Equifax, Experian and TransUnion—in writing, over the phone or online.

For reprint and licensing requests for this article, click here.