Hacker with passwords Medicalrecords are frequent targets because they contain a rich tapestryof information that can be used for identity theft. (Photo:Getty)

|

A hack of health-care data involving a medical bill collectorand two major diagnostics companies has grown toalmost 20 million people, and is now attracting more questions fromkey members of Congress.

|

American Medical Collection Agency, an Elmsford, New York-basedcollections firm, has now been identified by two large medicalcompanies as the victim in a large health-care data breach. OnTuesday, Laboratory Corporation of America Holdings said that 7.7million patients' accounts at AMCA were stored in the vulnerablecomputer system. The disclosure follows a similar warning by QuestDiagnostics Inc. that 11.9 million people were exposed.

|

Related: How to reduce cybersecurity risk to employees'health data

|

The exposed data includes names, dates of birth, addresses,financial and other personal information. LabCorp didn't provideAMCA with any ordered test, diagnostic information or test results,the company said in a securities filing. Quest said in a statementthat the hack may have included unspecified medical information,but not test results.

|

Three senators, including New Jersey Democrats Bob Menendez andCory Booker, and Mark Warner, a Virginia Democrat, wrote Quest onWednesday asking about the breach. Warner, a leading cybersecurityadvocate in Congress, said in his letter to Quest that contractorslike AMCA were a frequent target.

|

“I am concerned about your supply chain management, and yourthird party selection and monitoring process,” Warner said in theletter to Quest Chief Executive Officer Stephen Rusckowski. Questand Laboratory Corporation have both said they haven't gotten afull accounting of the breach by AMCA.

|

In a separate letter, Menendez and Booker demanded thatSecaucus, New Jersey-based Quest provide a detailed timeline of thebreach and the company's reaction to it, including what steps ithas taken the company has taken to limit patient harm.

Identity theft

Medical records are frequent targets because they contain a richtapestry of information that can be used for identity theft. One ofthe largest health-related hacks was a 2015 breach at insurerAnthem Inc., in which records for about 80 million people wereexposed. A Chinese citizen was indicted by U.S. authorities lastmonth over the hack.

|

AMCA has said that it's investigating the breach and hasinformed law enforcement. In a statement Wednesday, it said that itisn't at liberty to disclose the names of companies affected “dueto client confidentiality concerns.”

|

AMCA's website indicates that it sends out 1.4 million lettersper month, makes hundreds of thousands of collections calls per dayand has worked with at least 25 million people. The website says ithas expertise working with clinical labs, hospitals and physiciangroups.

|

“It is expected that any organization that uses AMCA forcollections would be impacted by this breach,” Mounir Hahad, headof Juniper Threat Labs at Juniper Networks, a computer securityfirm, said in an email. Hahad said that AMCA's website had lackedsome basic protections.

|

On Wednesday, AMCA said through an outside spokesman that itwill provide credit monitoring to people whose Social Securitynumbers or credit card accounts were compromised.

|

Read more: 

Copyright 2019 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

  • Critical BenefitsPRO information including cutting edge post-reform success strategies, access to educational webcasts and videos, resources from industry leaders, and informative Newsletters.
  • Exclusive discounts on ALM, BenefitsPRO magazine and BenefitsPRO.com events
  • Access to other award-winning ALM websites including ThinkAdvisor.com and Law.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.