Menendez, Booker Target Medical Billing Company at Center of Quest, LabCorp Patient Data Breach

Menendez, Booker Target Medical Billing Company at Center of Quest, LabCorp Patient Data Breach

 

NEWARK, N.J. – U.S. Senators Bob Menendez and Cory Booker (both D-N.J.) today demanded answers from American Medical Collection Agency (AMCA), the third-party billing agency at the center of a data breach that has compromised the personal, financial and medical information of 20 million LabCorp, Quest Diagnostics, and Opko Health patients.

“Consumers should be able to have a reasonable expectation that, when they share their personal data with any company or its billing partner, such as AMCA, the data will be protected,” the senators wrote in a letter to AMCA President Russell Fuchs.  “We must ensure that entities with access to patients’ personal, medical, and financial information understand their heightened duty to protect both the patient and their sensitive information, and that your company is taking both immediate and long-term steps to mitigate any harm.”

Earlier this week, Secaucus, N.J.-based Quest Diagnostics, the nation’s largest medical testing firm, reported a several months-long breach compromised the information of 12 million patients.  LabCorp then reported a hack affected another eight million patients, and yesterday, it was revealed that over 400,000 Opko Health patients were victimized.  All three companies contract with AMCA for their billing.

“Such breaches make private, personal and financial information vulnerable to criminals, leading to potential identity theft and irreparable harm to their credit reports and financial futures,” the senators continued.  “The potential exposure of a patient’s private medical records presents additional challenges in which such information could be used against patients in a discriminatory manner.”  

Sens. Menendez and Booker have already initiated separate inquiries with Quest and LabCorp to get a better understanding of the breach’s scope and any remediation the companies plan to provide to victims.

Sen. Menendez has authored a package of consumer protection bills aimed at safeguarding Americans’ personal information from data breaches and holding accountable those companies who fail to do so.

Sen. Menendez has consistently led the response to massive corporate data breaches, including at Target, eBay, Home Depot, Equifax, and others.  He led the call for Senate hearings into the Equifax breachurged a top-to-bottom review of all three major credit reporting agencies, and joined a bipartisan group of 34 senators calling for investigations by the Securities and Exchange Commission (SEC), Department of Justice (DOJ) and Federal Trade Commission (FTC) into stock sales and potential insider trading.

The full text of the letter is below and can be downloaded here

June 7, 2019

Russell Fuchs

American Medical Collection Agency

4 Westchester Plaza, Suite 110

Elmsford, NY 10523

Dear Mr. Fuchs:

We are deeply troubled by reports that a massive, eight-month-long data breach impacted two of American Medical Collection Agency’s (AMCA) partners, Quest Diagnostics Inc. and LabCorp, compromising the personal, financial, and medical information of a combined nearly 20 million patients. 

Such breaches make private personal and financial information vulnerable to criminals, leading to potential identity theft and irreparable harm to their credit reports and financial futures. The potential exposure of a patient’s private medical records presents additional challenges in which such information could be used against patients in a discriminatory manner.  

Consumers should be able to have a reasonable expectation that, when they share their personal data with any company or its billing partner, such as AMCA, the data will be protected.  Further, patients have a right to expect nothing more from laboratory testing than accurate results and a fair bill; a risk of identity theft should not be part of their testing experience.

We request information from your company to better understand how a breach of this magnitude occurred and the ultimate impact on patients. We must ensure that entities with access to patients’ personal, medical, and financial information understand their heightened duty to protect both the patient and their sensitive information, and that your company is taking both immediate and long-term steps to mitigate any harm.

In light of these concerns, please provide responses to the following:

  1. Provide a detailed timeline of the breach, including when it began, its discovery, any investigation of its scope and source, notification to authorities and regulators, notification to AMCA’s senior executives, efforts to notify patients, and notification to both LabCorp and Quest Diagnostics’s senior executives and boards of directors.
    • Please explain how the breach persisted for eight months without awareness from AMCA.
  2. Is this the first data breach at AMCA? If not, please list the dates and duration of any prior data breaches. Please also describe any processes or standards the company implemented as a result of prior breaches.
  3. Please describe AMCA’s efforts to identify the scope of affected patients and breadth of information compromised.
  4. Does this breach put any of AMCA’s other partners at risk? If yes, which ones? What information has AMCA provided to its partners regarding the breach?
  5. What steps has AMCA taken to identify and limit potential patient harm associated with this breach? 
  6. AMCA has informed LabCorp and Quest Diagnostics that it intends to offer the impacted patients identity protection and credit monitoring services for 24 months
    • Does AMCA plan to promote its paid services to these individuals at the end of the free two years?
    • Does AMCA plan to provide notice to each affected consumer, or will it rely on its partners to notify patients
  7. Does AMCA have procedures in place to receive and act on vulnerability reports?
    • If so, please describe these procedures, when they were implemented, and how frequently the company acts to remediate vulnerabilities.
  8. What new processes will AMCA implement to better monitor its information and data security? 
  9. Please describe the resources that AMCA dedicates to information and data security.
    • Does AMCA employ a Chief Information Security officer? If so, to whom does this person report?
    • Is anyone at AMCA responsible for evaluating the information and data security of its systems?
    • How many full-time employees at AMCA focus on information and data security?

10. During the period in which the breach occurred, how many times did AMCA conduct a security test to evaluate AMCA systems, and, if so, why did it fail to detect the breach?  Has AMCA done one since, and what were the results?

We request that AMCA respond to this request no later than June 14, 2019. Thank you for your prompt attention to this important issue.

Sincerely,

###