NEW YORK (360Dx) – Quest Diagnostics said today that up to 11.9 million of its patients may have been exposed to a data breach of a collection agency used by Quest.
In a filing with the US Securities and Exchange Commission, Quest said that it had been informed by the billing collections vendor, American Medical Collection Agency, that an unauthorized user got access to a system operated by AMCA that included personal information from Quest patients, such as credit card numbers, as well as bank account, medical, and other personal information such as social security numbers.
The unauthorized user obtained access to the system between Aug. 1, 2018, and March 30, 2019. It consisted of information that AMCA received from Quest and others, and information that AMCA collected.
On May 14, AMCA notified Quest and Optum360, Quest's revenue cycle management provider, of potential unauthorized activity on AMCA’s web payment page, according to the SEC filing.
AMCA has been in contact with law enforcement regarding the incident, Quest said.
In response to the incident, Quest has suspended sending collection requests to AMCA. Further, Quest said that it has provided notifications to affected health plans and will ensure that regulators and others are notified as required by federal and state laws.
The firm said that along with Optum360, AMCA, and outside security experts, it has been investigating the data security incident and its potential impact on Quest and its patients.
Quest said that it has not yet received "detailed or complete information" from AMCA about the incident, and it has not been able to verify the accuracy of the information received from AMCA.
Quest did not provide laboratory test results to AMCA, so they were not impacted.