Quest Diagnostics says nearly 12 million patients may have had data breached


A Quest Diagnostics Inc. requisition form is displayed for a photograph at Perry Memorial Hospital in Princeton, Illinois, U.S., on Wednesday, Oct. 11, 2017.

Daniel Acker | Bloomberg | Getty Images

About 11.9 million Quest Diagnostics patients may have had their financial, medical and other personal information exposed in a data breach, the company said Monday.

In a filing with the Securities and Exchange Commission, Quest said a billing collections vendor, American Medical Collection Agency, notified it last month of potential unauthorized activity on AMCA’s web payment page. AMCA provides billing collections services to Optum360, which is a Quest contractor. An unauthorized user had access to the system between Aug. 1, 2018, and March 30, 2019, Quest said.

The system contained sensitive data, including credit card numbers, bank account information, medical information and Social Security numbers, Quest said. Lab results were not provided to AMCA and were not exposed in the breach. AMCA thinks 11.9 million Quest patients were affected as of May 31, 2019, Quest said.

AMCA has not yet provided Quest with complete or detailed information about the breach and it has not been able to verify the accuracy of the information, Quest said.

“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” the company said in a press release. “Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.” Quest and Optum360 are investigating the situation with forensic experts, Quest said.

ACMA in a statement to CNBC said it’s “investigating a data incident involving an unauthorized user” accessing its system. The company said that after a security compliance firm that works with credit card companies alerted ACMA of a possible security compromise, ACMA conducted an internal review and took down its web payments page.

ACMA said it hired a third-party external forensics firm to investigate, migrated its web payments portal services to a third-party vendor, and hired more experts to advise and implement steps to increase its systems’ security. The company said it also advised law enforcement of the incident.

The company added, “We remain committed to our system’s security, data privacy, and the protection of personal information.”