As healthcare companies come forward to confirm hackers would have been able to access millions of patients' personal information from a compromised American Medical Collections Agency (AMCA) database, US senators are demanding answers.
Quest Diagnostics was yesterday on the receiving end of an open letter (PDF) issued by Senators Robert Menendez and Cory Booker (both Democrats from New Jersey) seeking some basic information on the blood-testing outfit's security practices and how it plans to handle the massive security fail by its business partner AMCA. Records of nearly 12 million of Quest's customers, stored in an AMCA-hosted data silo, were accessible to hackers for nearly eight months, it emerged this week.
"As the nation's largest blood-testing provider, this data breach places the information of millions of patients at risk," the senators' letter reads. "The months-long leak leaves the sensitive personal information vulnerable in the hands of criminal enterprises."
This comes after Quest told the SEC it was informed by AMCA, the debt collection company hired to extract payments from Quest customers, that its databases of patients had been broken into by hackers. The AMCA-hosted Quest database, which was under the control of one or more intruders from August 1, 2018 to March 30, 2019, contained approximately 11.9 million customer records from Quest.
Bloody awful: Hell-thcare hackers break into databases of 20m medical test biz patientsREAD MORE
While the New Jersey congressional duo note that it was AMCA who was hacked, they still want Quest to explain when and how it learned of the incident and what it plans to do as far as notifying customers and protecting their data from further misuse.
Additionally, the senators are curious as to how the hack was not noticed by Quest nor AMCA for eight months, and whether Quest performed any tests or audits on the security both its internal records and the data it entrusted to outside partners.
The letter gives Quest execs until June 14 to respond. The company did not return a request for comment on the matter.
Similarly, the senators also wrote [PDF] to LabCorp this week, demanding answers. LabCorp had 7.7 million patient records stored in a hacked AMCA database, and is almost certain 200,000 of those entries contained credit card or bank account info that was siphoned off by the intruders.
Meanwhile, add one more medical testing company to the ranks of those hung out to dry by AMCA. OPKO Health, a test and diagnostics firm headquartered in Florida, told the SEC that it too had data stored on compromised AMCA systems. Specifically, records of 422,600 people that included patients' names, dates of birth, addresses, phone numbers, dates of service, and balance information.
Of those 422,600 patients exposed to the hackers, 6,600 had credit card or bank account information included in their file, and will be offered two years of credit and identity theft monitoring service free of charge. ®