Quest Diagnostics has confirmed an unauthorized user gained access to a third party billing service system to potentially access personal data on nearly 12 million patients.
American Medical Collection Agency (AMCA), a billing collections service provider for multiple entities, contacted Quest on May 14, 2019 about the unauthorized activity.
In the alert, AMCA said the incident involved a compromise of AMCA’s web payment page. However, few details were provided on potential vulnerabilities or root cause. AMCA provides billing and collections services for multiple entities, to include Quest contractor Optum360.
After the initial incident was discovered, AMCA then followed up with Quest and Optum360 on May 31 to confirm that the compromised AMCA system contained 11.9 million patient records.
“AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results,” Quest said in the news release.
Quest also could not confirm which personal data elements were impacted. In addition, the company could not verify the AMCA information was fully accurate. Furthermore, Quest did not comment on what data encryption or other safeguards were in place.
Quest said the company and Optum360 are working with forensic experts to investigate the security incident.
You can read related stories such as Magecart skimming attacks from last month. Also, the Wipro data breach earlier this year and others like it are reminders of the importance of third party security.