Clinical laboratory firm Quest Diagnostics Inc. has admitted exposure of personal information of nearly 12 million customers after its web payment page was accessed by an unauthorized individual. On Monday, the diagnostic testing provider confirmed in a filing with securities regulators that up to 12 million patients may be affected by a recent data breach at the American Medical Collection Agency. The AMCA was also the third party responsible for a recent LabCorp data breach affecting 7.7 million customers, the testing company said Tuesday. Apart from personal medical information, the company reported that the affected patients’ Social Security numbers and financial data were breached as well, leaving patients susceptible to financial fraud.
The breach happened through a contractor of a contractor. Quest outsources its billing collections to Optum360, which in turn used American Medical Collection Agency for such services. AMCA told Quest on May 14 that it suffered a possible incident, but it's unclear exactly when a hack might have occurred. Quest said it doesn't have "detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected."
Quest also said it hasn't been able to verify the accuracy of the information received from AMCA. Quest said that it hasn't used AMCA for collections since it learned of the incident and that it is "working with forensic experts to investigate the matter."
Quest was made aware of the breach on May 14, but has not been able to verify AMCA's statement, nor does the company know exactly which patients have been involved. Once the firm has a better understanding of the situation, impacted patients will be told. Since learning of the data breach, AMCA collection requests have been suspended. Law enforcement has been notified and a cyber forensics firm has been hired to investigate the security incident.
"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," Quest said in a statement.
Quest said it's taking the matter "very seriously" and has suspended collections requests to the AMCA. Quest said patients will be notified and that it's working with forensic experts to investigate the breach.