Quest Diagnostics faced questions Wednesday from lawmakers over a recently disclosed data breach affecting millions of patients of the world’s largest blood testing company.
Senators sought answers from Stephen Rusckowski, Quest’s chairman and president, after becoming aware of an incident involving American Medical Collection Agency, or AMCA, a third-party collections firm contracted until recently by his New Jersey-based clinical lab giant.
“We are deeply concerned that this breach compromised the personal, financial and medical information of nearly 12 million Quest Diagnostic Inc. patients,” Sens. Robert Menendez and Cory Booker, New Jersey Democrats, wrote in a letter to Mr. Rusckowski.
“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk,” they wrote. “The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed.”
Sen. Mark Warner, Virginia Democrat and co-chair of the Senate Cybersecurity Caucus, raised similar concerns in a separate letter, meanwhile.
“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management and your third-party selection and monitoring process,” Mr. Warner wrote.
“I would like more information on your vendor selection and due diligence process, sub-supplier monitoring, continuous vendor evaluation policies and what you plan to do about your other vendors, given the vulnerability and information security failures of this one,” he wrote.
Quest did not immediately return a message seeking comment.
In a filing entered Monday with the Securities and Exchange Commission, Quest said it was notified last month by the debt collection agency about “potential unauthorized activity on AMCA’s web payment page” that may have compromised the personal information of approximately 11.9 million Quest patients between August 1, 2018, and March 30, 2019.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” Quest said in an accompanying statement. “Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.”
“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” AMCA said in a statement. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.”
Quest handles tests for more than 147 million patients annually, or about one-in-three adult Americans, according to its website. Headquartered in Secaucus, the company generated approximately $7.71 billion in revenue in 2017, according to the site.
Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.