Quest Diagnostics, one of the world’s largest blood testing companies, has reported that a cybersecurity breach at its debt collection agency may have revealed the personal and medical information of nearly 12 million of its customers over a period of eight months.
In a filing with the Securities and Exchange Commission, Quest said it was first informed in mid-May of potential unauthorized activity on the web payment page hosted by the American Medical Collection Agency (AMCA), its collections service provider. AMCA also works with Optum360, which Quest partnered with in 2016 to help streamline its billing services.
On May 31, AMCA then confirmed that the breach affected data covering about 11.9 million Quest patients—including their Social Security numbers, credit card numbers and bank accounts, but not laboratory test results, the company said. The unauthorized user had access from Aug. 1, 2018, through March 30 of this year.
In the following days, LabCorp disclosed that its customers were affected by the same hack as well. The testing giant said it had referred about 7.7 million patients to AMCA, with their data being stored on the compromised system.
Quest and Optum360 are currently working with forensic specialists to investigate, and they plan to notify their affected customers. AMCA told LabCorp that it is currently sending notices to about 200,000 of its customers whose credit card or bank account information may have been accessed, and plans to offer them identity protection and credit monitoring services.
In the meantime, the three companies have halted all collection requests sent to AMCA.
“AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected,” Quest said in a company statement. “And Quest has not been able to verify the accuracy of the information received from AMCA.”
Quest’s SEC filing also notes that it carries a limited insurance policy against these types of incidents, as well as for related liabilities and costs, which is subject to a deductible.
Its 2016 partnership with Optum saw about 2,400 Quest employees switch companies; the move aimed to decrease the cost and complexity of the test provider’s billing operations while reducing payment denials from insurers and lost revenue from unpaid medical bills.
Later that year, a breach of its MyQuest app exposed the personal health data of about 34,000 people. The app allows patients to schedule appointments, receive lab results and view their medical information. That breach potentially revealed patients’ names, dates of birth, lab results and phone numbers in some cases.
Editor's Note: This story has been updated with new information regarding the extent of the breach, to include LabCorp.