Two Democratic state attorneys general have launched an investigation into a massive data breach at American Medical Collection Agency, a company that provides billing collection services to healthcare organizations.
LabCorp and Quest Diagnostics last week said that the data breach affected nearly 8 million and 12 million of their patients, respectively.
AMCA provides services to LabCorp and one of Quest's revenue-cycle contractors, Optum360.
Illinois Attorney General Kwame Raoul and Connecticut Attorney General William Tong are requesting that AMCA, LabCorp and Quest each provide information on the number of residents in Illinois, Connecticut and the U.S. affected by the breach, as well as a description of how the companies plan to protect patients whose personal data was exposed.
Raoul and Tong are also investigating what measures the three companies had in place to protect patient privacy prior to the incident and what plans they have implemented since to prevent future data breaches.
"Sensitive personal information of millions of patients may have been compromised, and I am deeply concerned about the adequacy of the plans in place to notify and protect all affected individuals," Tong said in a statement.
AMCA said an unauthorized user accessed its web payment system, which held data on millions of patients, some time from August 2018 to March 2019. The breached system reportedly included patients' demographic and financial data, but not their laboratory test results. Quest said the breached system included Social Security numbers of its patients as well.
AMCA has provided neither Quest nor LabCorp with information on which patients' data was exposed in the breach, the companies said in separate statements.
Both companies have suspended sending collection requests to AMCA.
Sens. Cory Booker (D-N.J.) and Bob Menendez (D-N.J.) also launched inquiries into AMCA, Quest and LabCorp last week.
As part of the inquiries, Booker and Menendez are seeking information on how the data breach persisted for nearly eight months.
"Consumers should be able to have a reasonable expectation that, when they share their personal data with any company or its billing partner, such as AMCA, the data will be protected," the senators wrote in a letter to AMCA President Russell Fuchs.
AMCA has said its investigation into the data breach is ongoing.
In an emailed statement last week, AMCA said it was taking steps to increase the security of its systems, including migrating its web payment portal services to a third-party vendor.
"We remain committed to our system's security, data privacy and the protection of personal information," the company said.