This comes as another firm revealed millions of its customers may also have been caught up in the same breach.
On Monday, Quest announced an “unauthorized user” possibly gained access to the personal information of up to 11.9 million patients through a breach at its billing collection service, American Medical Collection Agency. Shortly after, Lab Corp reported 7.7 million of its customers also may have had their data compromised in the AMCA breach.
According to Quest, which is based in Secaucus, N.J., AMCA believes the information included financial data, Social Security numbers and medical information, but not lab test results.
“It’s pretty incredible that we’re talking maybe about 20 million patients,” said Sen. Bob Menendez (D-NJ) in an interview with Yahoo Finance.
On Wednesday, Menendez and Sen. Cory Booker (D-NJ) wrote a letter to Quest Diagnostics CEO Stephen Rusckowski asking how the breach happened and what the company plans to do about it.
“As the nation’s largest blood testing provider, this data breach places the information of millions of patients at risk. The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises,” the senators said in the letter.
Asking for answers from the CEO
The senators asked Rusckowski to answer 10 questions — ranging from his plans to investigate the breach, the company’s current security procedures and its plans to improve security measures going forward. They want answers by June 14.
“I want to know what steps Quest Diagnostics has taken to identify and limit potential patient harm associated with the breach. I want to know whether they plan to provide notice to each affected consumer — or just rely upon whether or not the consumer initiates a check — to inform them,” said Menendez.
Sen. Mark Warner (D-VA) also wrote a separate letter to Quest Diagnostics, requesting answers in the next two weeks.
“I am concerned about your supply chain management, and your third-party selection and monitoring process. According to a recent report, 20% of data breaches in the health care sector last year were traced to third-party vendors, and an estimated 56% of provider organizations have experienced a third-party breach,” said Warner.
Late Wednesday afternoon, Menendez and Booker sent a separate letter to the LabCorp Senior Vice President and Global General Counsel, Sandra D. van der Vaart.
“This isn’t the first time LabCorp has come under scrutiny due to information security concerns,” the senators wrote. “In light of LabCorp’s history of information security challenges, the company has both the knowledge and responsibility to heighten information security standards and processes to better protect the patients it serves.”
Menendez and Booker also want answers from van der Vaart by June 14th.
Menenedez has introduced legislation with the goal of cracking down on data breaches and protecting consumers’ personal information.
“It’s critical because at the end of the day, we’re talking about consumers — through no fault of their own — potentially face irreparable harm to their credit reports, to their financial futures. They confront the real possibility that their medical information and history has been exposed and how that can be used and manipulated,” said Menendez.
Next week, the Senate Banking Committee will hold a privacy hearing focusing on data brokers – companies that aggregate and sell consumer information.
Menendez, a member of the committee, plans to bring up the recent data breaches and the impact on consumers.
“While that’s a big issue [data brokers] in and of itself, I want to also raise these other issues as well and hopefully drive the chairman to be looking at this is in a greater, in depth way,” he said.
Jessica Smith is a reporter for Yahoo Finance based in Washington, D.C. Follow her on Twitter at @JessicaASmith8.