Published on August 19th, 2019 📆 | 7935 Views ⚑0
Billing Details for 11.9M Quest Diagnostics Clients Exposed
Update: Added official statements from Quest Diagnostics and AMCA regarding the breach at the end of the article.
Quest Diagnostics Incorporated, a Fortune 500 diagnostic services provider, says that approximately 12 million of its clients may have been impacted by a data breach reported by one of its billing providers.
The company reported to the U.S. Securities and Exchange Commission (SEC) that it received a notification from its billing collection provider American Medical Collection Agency (AMCA) that their web payment page was breached.
According to its website, AMCA is “managing over $1BN in annual receivables for a diverse client base” and it is the “leading recovery agency for patient collection,” servicing “laboratories, hospitals, physician groups, billing services, and medical providers all across the country.”
As detailed in the SEC notification from Quest Diagnostics, AMCA informed the company that “between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself.”
Quest Diagnostics states that it took the following measures after being informed of the incident:
The notification also says that the information that could be accessed during the security breach includes financial information such as bank account data and credit card numbers, as well as medical and personal information like Social Security Numbers.
“As of May 31, 2019, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people,” also says the SEC notification.
Quest Diagnostics said that it has not been able to confirm the accuracy of the info received from AMCA, and that no laboratory test results were impacted by the security incident since they were not provided to AMCA.
The diagnostic information services provider added that it “takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information.”
AMCA told Quest Diagnostics that they have been “in contact with law enforcement regarding the incident” but has not yet provided “detailed or complete information” regarding the breach.
Quest Diagnostics sent BleepingComputer an official statement saying that the unauthorized user was able to access information provided to AMCA by various entities and that Quest is “working with forensic experts to investigate the matter.”
AMCA also sent an official statement regarding the security breach: