Menu Close

Medical testing giant Quest Diagnostics has confirmed a third-party billing company has been hit by a data breach affecting 11.9 million patients.

The laboratory testing company revealed the data breach in a filing on Monday with the Securities and Exchange Commission.

According to the filing, the breach was a result of malicious activity on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest. The “unauthorized user” siphoned off information from the website, like credit card numbers, as well as medical information and personal data from the site.

But laboratory tests were not included in the stolen data, Quest said.

The breach dated back to August 1, 2018 until May 31, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information” from the AMCA.

Quest had been informed of the breach by American Medical Collection Agency, an Elmsford, New York-based collections firm. For eight months, an unauthorized user had access to personal information including credit card numbers and bank accounts, medical information, and personal information such as Social Security numbers.

Quest said it has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth on the effects of the breach.

Quest said it was informed of the incident on May 14. Several other companies have been hit in recent months by attacks on their websites.Highly targeted credit card skimming attacks hit Ticketmaster, British Airways, and consumer electronics giant Newegg in the past year, affecting millions of customers.

The so-called Magecart group of hackers would break into vulnerable websites and install the malicious code to skim and send data back to the hacker-controlled servers.

It’s the second breach affecting Quest customers in three years.