Menendez, Booker Press for Answers after Patient Data Breach Reaches 20 Million

Menendez, Booker Press for Answers after Patient Data Breach Reaches 20 Million

Senators initiate separate inquiries into LabCorp, Quest

  

WASHINGTON, D.C. – U.S. Senators Bob Menendez and Cory Booker (both D-N.J.) followed up their request today for additional information from New Jersey-based Quest Diagnostics by launching a separate inquiry into LabCorp, after it was reported that the massive breach exposed the personal, financial and medical information of an estimated combined 20 million patients to hackers and identity thieves.  Both companies use third-party biller American Medical Collection Agency (AMCA).

“This isn’t the first time LabCorp has come under scrutiny due to information security concerns,” wrote Sens. Menendez and Booker in a letter to LabCorp Senior Vice President and Global General Counsel Sandra D. van der Vaart.  “In light of LabCorp’s history of information security challenges, the company has both the knowledge and responsibility to heighten information security standards and processes to better protect the patients it serves.”

LabCorp was sued in June 2018, charging the company with a HIPAA violation for failing to provide adequate privacy protections at its Providence Hospital computer intake station.  The following month—just one month before the AMCA breach began—the company’s IT network was compromised, again leaving vulnerable the information of millions of patients.

After Quest Diagnostics reported a seven months-long breach compromised the information of 12 million patients, LabCorp reported an eight-month-long hack affected another eight million patients.

“We request additional information so we may understand exactly how a breach of this level occurred and what the ultimate impact on patients will be,” the letter continued.

Sen. Menendez has authored a package of consumer protection bills aimed at safeguarding Americans’ personal information from data breaches and holding accountable those companies who fail to do so.

Sen. Menendez has consistently led the response to massive corporate data breaches, including at Target, eBay, Home Depot, Equifax, and others.  He led the call for Senate hearings into the Equifax breachurged a top-to-bottom review of all three major credit reporting agencies, and joined a bipartisan group of 34 senators calling for investigations by the Securities and Exchange Commission (SEC), Department of Justice (DOJ) and Federal Trade Commission (FTC) into stock sales and potential insider trading.

The full text of the letter is below and can be downloaded here

 

June 5, 2019

Sandra D. van der Vaart

Senior Vice President and Global General Counsel

531 South Spring Street

Burlington, NC 27215

 

Dear Ms. van der Vaart: 

We write in response to reports that there has been an eight months-long data breach involving LabCorp’s partner, the American Medical Collection Agency (AMCA). We are deeply concerned that this breach compromised the personal and financial information of nearly eight million LabCorp patients.

The months-long leak leaves sensitive personal and financial information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures.

This isn’t the first time LabCorp has come under scrutiny due to information security concerns. As recently as June 2018 your company faced a lawsuit charging LabCorp with a HIPAA violation for failing to provide adequate privacy protections at its Providence Hospital computer intake station. In July 2018, just one month before the AMCA breach began, the company’s IT network was compromised, again leaving the information of millions of your patients vulnerable. In light of LabCorp’s history of information security challenges, the company has both the knowledge and responsibility to heighten information security standards and processes to better protect the patients it serves.

We request additional information so we may understand exactly how a breach of this level occurred and what the ultimate impact on patients will be. We must also ensure that entities with access to patients’ personal, medical, and financial information understand their obligation to protecting patients and are taking both immediate and longer-term steps to mitigate this harm. In light of these concerns, please provide responses to the following:

  1. Provide a detailed timeline of the breach, including when it began, its discovery, any investigation of its scope and source, notification to authorities, efforts to notify patients, and notification to LabCorp’s senior executives.
  2. Please describe LabCorp’s efforts to identify the scope of affected patients and breadth of information compromised.
  3. What steps has LabCorp taken to identify and limit potential patient harm associated with this breach?
  4. Does LabCorp plan to provide notice to each affected consumer, or will it rely on consumer-initiated checks to inform them?
  5. Does LabCorp have procedures in place to receive and act on vulnerability reports?
    1. If so, please describe these procedures, when they were implemented, and how frequently the company acts to remediate vulnerabilities.
    2. On what date was LabCorp first notified of a potential breach by AMCA? What immediate steps did it take to protect patient’s information?
  6. Given LabCorp’s past challenges with information security, including its own breach in July 2018 and an alleged HIPAA violation, what steps has LabCorp taken to address information security problems plaguing the company?
  7. What processes does LabCorp have in place to ensure that the companies it outsources patient information to responsibly protect their patients’ information?
  8. What new processes will LabCorp implement to better monitor the information and data security of the companies to which it outsources patient information?
  9. Please explain how the breach persisted for eight months without awareness from LabCorp?
  10. Please describe the resources that LabCorp dedicates to information and data security.
    1. Does LabCorp employ a Chief Information Security officer? If so, to whom does this person report?
    2. Is anyone at LabCorp responsible for evaluating the information and data security of the companies and to which it outsources patient information?
    3. How many full-time employees at LabCorp focus on information and data security?
  11. During the past eight months of the breach, how many times has LabCorp conducted a security test, which evaluates both LabCorp’s systems as well as the systems of any companies it outsources to?

We request that LabCorp respond to this request no later than June 14, 2019. Thank you for your prompt attention to this important issue.

Sincerely,

 

###