Medical data and financial information of nearly 12 million people may have been compromised in a data breach at a billing firm that works with Quest Diagnostics, the laboratory company said in a regulatory document.
The exposed information included credit card numbers and bank account details, Quest said Monday in a U.S. Securities and Exchange Commission filing. The New Jersey-based corporation is one of the giants in the medical testing industry, with more than $7.5 billion in revenue in 2018.
Quest said the American Medical Collection Agency notified it on May 14 about a security incident. AMCA discovered that an outsider infiltrated its web payment system and accessed data belonging to other companies, including Quest Diagnostics.
Quest had outsourced its billing work to Optum360, a health care revenue-cycle manager, which contracted AMCA. AMCA describes itself as a provider of “professional debt collection services are providers that specialize in collecting delinquent accounts,” according to its website.
The unauthorized access occurred between Aug. 1, 2018 and March 30 and affected as many as 11.9 million patients, according to the SEC document. Social Security numbers were also involved, Quest said, but did not provide further details.
Quest said it has not yet received “detailed or complete” information about the breach from AMCA.
In response to the incident, Quest says its suspended sending requests to AMCA, begun notifying regulators and affected health plans, and that it is working with outside security consultants to investigate the matter.
Quest’s “in-network status now extends to approximately 90 percent of commercially insured lives in the U.S.,” CEO Steve Ruscowski said in a February earnings statement. It offers testing for major diseases and conducts drug screening for employers, among other services.
This breach follows a 2016 hack that exposed the test results and personal information of some 34,000 patients in Quest’s database. Laboratory test results that Quest provided to AMCA were not affected by the breach disclosed Monday, Quest said.