Medical testing and medication firm Opko Health is now the third company to be impacted by a security breach at a third-party billing collections firm, bringing the total number of patients' data potentially exposed by the breach to over 20 million.
In a filing (PDF) Thursday with the Securities and Exchange Commission, Opko Health said one of its subsidiaries, BioReference Laboratories Inc., was notified by American Medical Collection Agency (AMCA) of unauthorized activity on its web payment page.
AMCA advised BioReference that data for approximately 422,600 patients for whom BioReference performed testing was stored in the affected AMCA system, according to the filing. The information on the affected system included patient names, dates of birth, addresses, phone numbers, dates of service, providers and balance information as well as credit card and bank information. BioReference did not provide lab results or diagnostic information to AMCA and Social Security numbers also were not compromised.
BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA, Opko Health said in the filing.
The unauthorized activity occurred over an eight-month time period, between August 1, 2018 and March 30, 2019, AMCA said.
Two major diagnostics companies, Quest Diagnostics and LabCorp, were also impacted by the data breach. Quest Diagnostics disclosed on Monday that 11.9 million customers may have had their medical and financial information exposed. LabCorp revealed on Tuesday that 7.7 million patients' accounts at AMCA were stored in the vulnerable computer system and may also have been exposed.
The growing theft of health care data is drawing scrutiny from key members of Congress. Three Democratic Senators, Bob Menendez (New Jersey), Cory Booker (New Jersey) and Mark Warner (Virginia), wrote Quest on Wednesday with questions about the company's third-party vendor information security vetting and other security measures.
Warner, a leading cybersecurity advocate in Congress, said in the letter to Quest CEO Stephen Rusckowski that he was concerned about Quest's supply chain management and third-party selection and monitoring process. He noted that contractors like AMCA were frequent targets for cyber attacks.
Warner said he wanted more information about the company's vendor selection and due diligence process, sub-supplier monitoring, vendor evaluation policies and what it plans to do about its other vendors.
In a separate letter (PDF) to Rusckowski, Menendez and Booker demanded that Quest provide a detailed timeline of the breach incident and the steps the company is taking to identify and limit potential patient harm.
"The months-long leak leaves sensitive personal information vulnerable in the hands of criminal enterprises. Moreover, such breaches force victims to contend with identity theft that may lead to irreparable harm to their credit reports and financial futures, and to confront the real possibility that their confidential medical information and history has been exposed," Menendez and Booker wrote.
In a letter (PDF) to Sandra D. van der Vaart, senior vice president and global general counsel for LabCorp, Menendez and Booker noted this isn't the first time the company has come under scrutiny due to information security concerns. "As recently as June 2018 your company faced a lawsuit charging LabCorp with a HIPAA violation for failing to provide adequate privacy protections at its Providence Hospital computer intake station," the Senators wrote.
In July 2018, just one month before the AMCA breach began, LabCorp's IT network was compromised, they said.
"In light of LabCorp's history of information security challenges, the company has both the knowledge and responsibility to heighten information security standards and processes to better protect the patients it serves," Menendez and Booker said.
The Senators demanded that LabCorp also provided a detailed timeline of the breach incident and outline what the company has done, in light of its past security challenges, to address information security problems.