The data breach occurred between Aug. 1, 2018 and March 30, 2019, but was not publicly disclosed until June 3 by Quest Diagnostics, although the company said it first heard of the breach from AMCA of Elmsford on May 14.
The attorneys general sent letters to American Medical Collection Agency, Quest Diagnostics and LabCorp seeking the total number of patients impacted by the breach, as well as the specific number of Connecticut and Illinois residents that were affected by the breach. They are also requesting data on the categories of personal information that might have been compromised, as well as information as to how the companies plan to intend to inform those affected and prevent future data breaches.
“Sensitive personal information of millions of patients may have been compromised, and I am deeply concerned about the adequacy of the plans in place to notify and protect all affected individuals,” Tong said in a statement. “It is important to determine the cause of this serious data breach and what steps these companies are taking to ensure this does not happen again.”
Separately, the office of New York Attorney General Letitia James is conducting an independent inquiry into the matter. The attorneys general of Michigan, Minnesota and North Carolina are also pursuing their own probes.