(Bloomberg) -- A hack of health-care data involving a medical bill collector and two major diagnostics companies has grown to almost 20 million people, and is now attracting more questions from key members of Congress.
American Medical Collection Agency, an Elmsford, New York-based collections firm, has now been identified by two large medical companies as the victim in a large health-care data breach. On Tuesday, Laboratory Corporation of America Holdings said that 7.7 million patients’ accounts at AMCA were stored in the vulnerable computer system. The disclosure follows a similar warning by Quest Diagnostics Inc. that 11.9 million people were exposed.
The exposed data includes names, dates of birth, addresses, financial and other personal information. LabCorp didn’t provide AMCA with any ordered test, diagnostic information or test results, the company said in a securities filing. Quest said in a statement that the hack may have included unspecified medical information, but not test results.
Three senators, including New Jersey Democrats Bob Menendez and Cory Booker, and Mark Warner, a Virginia Democrat, wrote Quest on Wednesday asking about the breach. Warner, a leading cybersecurity advocate in Congress, said in his letter to Quest that contractors like AMCA were a frequent target.
“I am concerned about your supply chain management, and your third party selection and monitoring process,” Warner said in the letter to Quest Chief Executive Officer Stephen Rusckowski. Quest and Laboratory Corporation have both said they haven’t gotten a full accounting of the breach by AMCA.
In a separate letter, Menendez and Booker demanded that Secaucus, New Jersey-based Quest provide a detailed timeline of the breach and the company’s reaction to it, including what steps it has taken the company has taken to limit patient harm.
Medical records are frequent targets because they contain a rich tapestry of information that can be used for identity theft. One of the largest health-related hacks was a 2015 breach at insurer Anthem Inc., in which records for about 80 million people were exposed. A Chinese citizen was indicted by U.S. authorities last month over the hack.
AMCA has said that it’s investigating the breach and has informed law enforcement. In a statement Wednesday, it said that it isn’t at liberty to disclose the names of companies affected “due to client confidentiality concerns.”
AMCA’s website indicates that it sends out 1.4 million letters per month, makes hundreds of thousands of collections calls per day and has worked with at least 25 million people. The website says it has expertise working with clinical labs, hospitals and physician groups.
“It is expected that any organization that uses AMCA for collections would be impacted by this breach,” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, a computer security firm, said in an email. Hahad said that AMCA’s website had lacked some basic protections.
On Wednesday, AMCA said through an outside spokesman that it will provide credit monitoring to people whose Social Security numbers or credit card accounts were compromised.