Medical testing giant Quest Diagnostics has confirmed a third-party billing company has been hit by a data breach affecting 11.9 million patients.
The laboratory testing company revealed the data breach in a filing on Monday with the Securities and Exchange Commission.
According to the filing, the breach was a result of malicious activity on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest. The “unauthorized user” siphoned off credit card numbers, medical information and personal data from the site. Laboratory test results were not among in the stolen data, Quest said.
Quest, which operates medical testing centers around the U.S., said it has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth on the effects of the breach. Quest said it was informed of the incident on May 14.
Medical records are a frequent target of hackers. Along with financial information, they often contain personal health information as well as identifying data like social security numbers that can provide a richer tapestry of information for identity theft.
The breach dated back to August 1, 2018 until May 31, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information” from the AMCA.
Quest said it has since stopped sending collection requests to the vendor while it investigates and has hired outside security experts to understand the damage.
Several other companies have been hit in recent months by attacks on their websites. Highly targeted credit card skimming attacks hit Ticketmaster, British Airways, and consumer electronics giant Newegg in the past year, affecting millions of customers.
The so-called Magecart group of hackers would break into vulnerable websites and install the malicious code to skim and send data back to the hacker-controlled servers.
It’s the second breach affecting Quest customers in three years. In 2016, the company said 34,000 patients had data stolen by hackers.
Quest Diagnostics says 12 million patients may have had their personal information exposed