Quest Diagnostics Inc, one of the country’s largest providers of diagnostic testing, said one of the billing collections firms it works with experienced a data breach on its web payment system that may have affected 11.9 million patients.
The data breach may have involved the collection of patients’ financial information, such as credit-card numbers and bank-account information, as well as medical information and personal details, the company said Monday.
Quest said in a securities filing that it had been informed of the breach by American Medical Collection Agency, an Elmsford, New York-based collections firm. For eight months, an unauthorized user had access to personal information including credit card numbers and bank accounts, medical information, and personal information such as Social Security numbers.
According to the filing, the breach was as a result of malicious code found on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest. The code skimmed information put into the website, like credit card numbers, as well as medical information and personal data from the site.
The malicious skimming code dated back to August 1, 2018 until May 31, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information” from the AMCA.
Quest, which operates medical testing centers around the U.S., said it has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth on the effects of the breach. Quest said it was informed of the incident on May 14.
Medical records are a frequent target of hackers. Along with financial information, they often contain personal health information as well as identifying data like social security numbers that can provide a richer tapestry of information for identity theft.
Quest said it hadn’t been able to verify information about the hack shared with it by AMCA. It wasn’t immediately clear if other health-care companies had been affected.
While the breach did not happen at Quest Diagnostics, AMCA provides services to Optum360, which in turn provides payment services to Quest Diagnostics, said Bost.
As of Monday, AMCA had not provided Quest Diagnostics or Optum360 complete information about the security breach, including specific information and individuals affected, Bost said in a statement.
In response to the breach, Quest Diagnostics has suspended sending collection requests to AMCA, the statement said.
As of May 31, about 11.9 million patients had information stored on the vendor’s affected system.
It’s far from the first company to be hit by skimming malware. Highly targeted credit card skimming attacks hit Ticketmaster, British Airways, and consumer electronics giant Newegg in the past year, affecting millions of customers. The so-called Magecart group of hackers would break into vulnerable website and install the malicious code to skim and send data back to the hacker-controlled servers.
It’s not known who was behind Quest’s data breach.
A spokesperson for the American Medical Collection Agency did not immediately comment when contacted.
Shares of Quest were up less than 1% to $96.51 at 9:55 a.m. in New York.