(Bloomberg) -- A hack of health-care data involving a medical bill collector and two major diagnostics companies has grown to almost 20 million people, and is now attracting more questions from a key member of Congress.
American Medical Collection Agency, an Elmsford, New York-based collections firm, has now been identified by two large medical companies as the victim of the latest large health-care data breach. On Tuesday, Laboratory Corporation of America Holdings said that 7.7 million patients’ accounts at AMCA were stored in the vulnerable computer system. The disclosure follows a similar warning by Quest Diagnostics Inc. that 11.9 million people were exposed.
The data exposed in the hack includes names, dates of birth, addresses, financial and other personal information.
U.S. Senator Mark Warner, a Virginia Democrat who is a leading cybersecurity advocate in Congress, wrote Quest on Wednesday asking about the breach, saying that contractors like AMCA were a frequent target.
“I am concerned about your supply chain management, and your third party selection and monitoring process,” Warner said in the letter to Quest Chief Executive Officer Stephen Rusckowski. Quest and Laboratory Corporation have both said they haven’t gotten a full accounting of the breach by AMCA.
Medical records are frequent targets for hackers because they contain a rich tapestry of information that can be used for identity theft. One of the largest health-related hacks was a 2015 breach at insurer Anthem Inc., in which records for about 80 million people were exposed. A Chinese citizen was indicted by U.S. authorities last month over the hack.
AMCA has said that it is investigating the breach and has advised law enforcement. The company has repeatedly declined to say if any other firms or their customers might have been affected. AMCA’s website indicates that it sends out 1.4 million letters per month, makes hundreds of thousands of collections calls per day and has worked with at least 25 million people. The website says it has expertise working with clinical labs, hospitals and physician groups.
“It is expected that any organization that uses AMCA for collections would be impacted by this breach,” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, a computer security firm, said in an email. Hahad said that AMCA’s website had lacked some basic protections.
On Wednesday, AMCA said through an outside spokesman that it will provide credit monitoring to people whose Social Security numbers or credit card accounts were compromised.