U.S. Senators Bob Menendez and Cory Booker (both D-N.J.) are demanding answers from American Medical Collection Agency (AMCA), the third-party billing agency at the center of a data breach that compromised the personal, financial, and medical information of 20 million LabCorp, Quest Diagnostics, and Opko Health patients.

“Consumers should be able to have a reasonable expectation that, when they share their personal data with any company or its billing partner, such as AMCA, the data will be protected,” the senators wrote in a letter to AMCA President Russell Fuchs. “We must ensure that entities with access to patients’ personal, medical, and financial information understand their heightened duty to protect both the patient and their sensitive information and that your company is taking both immediate and long-term steps to mitigate any harm.”

Earlier this month, Secaucus, N.J.-based Quest Diagnostics, the nation’s largest medical testing firm, reported that a several month-long breach compromised the information of 12 million patients. LabCorp then reported a hack affected another eight million patients. It was later revealed that more than 400,000 Opko Health patients were also victimized.

All three companies contract with AMCA for their billing. In the wake of the breach, AMCA’s parent company, Retrieval-Masters Creditors Bureau, this week filed for Chapter 11 protection, with Fuchs stating in the filing that the company incurred “enormous expenses that were beyond the ability of the debtor to bear.”

Despite the development, the push for information is expected to continue.

“Such breaches make private, personal, and financial information vulnerable to criminals, leading to potential identity theft and irreparable harm to their credit reports and financial futures,” the senators wrote. “The potential exposure of a patient’s private medical records presents additional challenges in which such information could be used against patients in a discriminatory manner.”

Among the questions and informational demands posed in the letter:

  • Providing a detailed timeline of the breach, including when it began, its discovery, any investigation of its scope and source, notification to authorities and regulators, notification to AMCA’s senior executives, efforts to notify patients, and notification to both LabCorp and Quest Diagnostics’ senior executives and boards of directors.
  • An explanation for how the breach persisted for eight months without awareness from AMCA.
  • Was this the first data breach at AMCA?
  • A description of AMCA’s efforts to identify the scope of affected patients and breadth of information compromised.
  • Does this breach put any of AMCA’s other partners at risk? If yes, which ones?
  • What steps has AMCA taken to identify and limit potential patient harm associated with this breach?
  • Does AMCA have procedures in place to receive and act on vulnerability reports? If so, please describe these procedures, when they were implemented, and how frequently the company acts to remediate vulnerabilities.
  • What new processes will AMCA implement to better monitor its information and data security?
  • A description of the resources that AMCA dedicates to information and data security.
  • Does AMCA employ a chief information security officer? If so, to whom does that person report?
  • Is anyone at AMCA responsible for evaluating the information and data security of its systems?
  • How many full-time employees at AMCA focus on information and data security?

Meanwhile, Connecticut Attorney General William Tong and Illinois Attorney General Kwame Raoul, both Democrats, have opened an investigation into the data breach.

“The last thing patients should have to worry about is whether their personal information has been compromised by the entities responsible for protecting it,” Raoul said in a statement.

The attorneys general are seeking the facts and circumstances surrounding the breach, measures the companies had in place to protect patient data privacy, and plans to prevent the recurrence of a future breach.