Connecticut Attorney General William Tong and Illinois Attorney General Kwame Raoul have opened an investigation into the data breach at American Medical Collection Agency (AMCA), according to a press release​ issued earlier this month.

AMCA, LabCorp, and Quest Diagnostics have yet to respond to a request for comment.

"Sensitive personal information of millions of patients may have been compromised, and I am deeply concerned about the adequacy of the plans in place to notify and protect all affected individuals,"​ said Tong.

LabCorp and Quest Diagnostics in June disclosed unauthorized activity on the web payment page of the companies’ billing collections service provider, the American Medical Collection Agency (AMCA). The provider informed both companies that an unauthorized user had access to AMCA’s system containing data from various companies.

In a letter addressed to AMCA President Russell Fuchs, New Jersey Senators Robert Menedez and Cory Booker requested an explanation as to “how the breach persisted for eight months without awareness from AMCA,”​ as well as a timeline of the breach, including notification to regulators, patients, and LabCorp and Quest Diagnostics executives, among others.

The letter also questioned if the company will implement new processes to “better monitor its information and data security.”​

“Consumers should be able to have a reasonable expectation that, when they share their personal data with any company or its billing partner, such as AMCA, the data will be protected. Further, patients have a right to expect nothing more from laboratory testing than accurate results and a fair bill; risk of identify theft should not be part of their testing experience,” ​the letter reads.

The senators asked for a response no later than June 14, 2019. As of publication, the office of Senator Menedez was unable to confirm if a response has been received.

Exacerbating public mistrust?​

The situation with LabCorp and Quest is unusual because the data breach involved financial information rather than health data, said John Lewis, strategic communications consultant at Intersect Strategies.

As such, HIPAA – the Health Insurance Portability and Accountability Act of 1996, US legislation which provides data privacy and security provisions to protect medical information – would not apply.

“But the broader issue is that some companies believe they can hide from these data breaches by only meeting a minimum legal disclosure requirement of including notice in their SEC filings,” ​Lewis told us, adding that this also was seen recently with Charles River Labs, ​which reported a data breach in an SEC filing dated April 2019​.

“In fairness,” ​Lewis added, “we do not know what efforts were made to communicate the breach to affected customers.” ​

Lewis noted that these situations are foreseeable, and as such, companies should have proactive communication plans in place.

“By not publicly acknowledging these hacks, and explaining what steps they are taking at remediation and prevention, these companies are only exacerbating public mistrust,” ​he said.