Millions of Quest Diagnostics patients may have had their financial, medical and other personal information exposed in a data breach, the company announced on Monday.
Officials at Quest Diagnostics said Monday that 11.9 million peoples’ personal information, including Social Security numbers may have been compromised after one of its billing collectors reported a data breach.
According to Quest Diagnostics, American Medical Collection Agency (AMCA) notified the company and a Quest contractor that uses AMCA’s billing services last month. The number of patients impacted was only recently determined.
“American Medical Collection Agency (AMCA), a billing collections service provider, has informed Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest.
"AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter,” the company posted in a statement.
Quest noted that “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.”
The data breach dates back to Aug. 1 last year through May 31. Quest said that it has since stopped sending collection requests to AMCA while the investigation is ongoing. An outside security expert has been hired to determine the damage of the breach.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.”
"We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system," an AMCA spokesperson said in a statement. "Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page.
"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information."
Darren Hayes, Assistant Professor at Pace University’s Seidenberg School of Computer Science and Information Systems, said the announcement by Quest comes as no surprise "as healthcare records command higher prices on the black market than most types of personal identifiable information."
"The breath of information available from healthcare companies is far greater than most breaches," Hayes said. "In the case of Quest Diagnostics, we can see that personal financial data and medical records appear to have been compromised."
Hayes said Quest is just one one of many healthcare companies to have been targeted in recent attacks, including Anthem (80 million impacted), Premera (11 million impacted) and TRICARE (4.9 million impacted).
"The mandated move to Electronic Health Records (EHR) and the rapid growth of cloud services means that more healthcare data is available electronically and from more sources than ever before," Hayes said. "The idea that such invasive data has been compromised in the Quest Diagnostics breach is extremely concerning and creates the potential for all kinds of fraud.
"Those impacted should consider adding a fraud alert to the credit reporting agencies and a credit freeze will provide additional protection to consumers.”
Click here to sign up for Daily Voice's free daily emails and news alerts.