Medicalrecords are frequent targets because they contain a rich tapestryof information that can be used for identity theft. (Photo:Getty)

A hack of health-care data involving a medical bill collectorand two major diagnostics companies has grown toalmost 20 million people, and is now attracting more questions fromkey members of Congress.

American Medical Collection Agency, an Elmsford, New York-basedcollections firm, has now been identified by two large medicalcompanies as the victim in a large health-care data breach. OnTuesday, Laboratory Corporation of America Holdings said that 7.7million patients' accounts at AMCA were stored in the vulnerablecomputer system. The disclosure follows a similar warning by QuestDiagnostics Inc. that 11.9 million people were exposed.

Related: How to reduce cybersecurity risk to employees'health data

The exposed data includes names, dates of birth, addresses,financial and other personal information. LabCorp didn't provideAMCA with any ordered test, diagnostic information or test results,the company said in a securities filing. Quest said in a statementthat the hack may have included unspecified medical information,but not test results.

Three senators, including New Jersey Democrats Bob Menendez andCory Booker, and Mark Warner, a Virginia Democrat, wrote Quest onWednesday asking about the breach. Warner, a leading cybersecurityadvocate in Congress, said in his letter to Quest that contractorslike AMCA were a frequent target.

“I am concerned about your supply chain management, and yourthird party selection and monitoring process,” Warner said in theletter to Quest Chief Executive Officer Stephen Rusckowski. Questand Laboratory Corporation have both said they haven't gotten afull accounting of the breach by AMCA.

In a separate letter, Menendez and Booker demanded thatSecaucus, New Jersey-based Quest provide a detailed timeline of thebreach and the company's reaction to it, including what steps ithas taken the company has taken to limit patient harm.

Identity theft

Medical records are frequent targets because they contain a richtapestry of information that can be used for identity theft. One ofthe largest health-related hacks was a 2015 breach at insurerAnthem Inc., in which records for about 80 million people wereexposed. A Chinese citizen was indicted by U.S. authorities lastmonth over the hack.

AMCA has said that it's investigating the breach and hasinformed law enforcement. In a statement Wednesday, it said that itisn't at liberty to disclose the names of companies affected “dueto client confidentiality concerns.”

AMCA's website indicates that it sends out 1.4 million lettersper month, makes hundreds of thousands of collections calls per dayand has worked with at least 25 million people. The website says ithas expertise working with clinical labs, hospitals and physiciangroups.

“It is expected that any organization that uses AMCA forcollections would be impacted by this breach,” Mounir Hahad, headof Juniper Threat Labs at Juniper Networks, a computer securityfirm, said in an email. Hahad said that AMCA's website had lackedsome basic protections.

On Wednesday, AMCA said through an outside spokesman that itwill provide credit monitoring to people whose Social Securitynumbers or credit card accounts were compromised.

Read more: 

• One year later: The influence of Equifax &other data breaches on corporate culture
• Accidental data breaches remain the leading causeof loss
• Employee emails, and other common causes of databreaches

Copyright 2019 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.