Nearly 12M Patients Potentially Affected in Quest Diagnostics Data Breach

June 3, 2019
A third-party billings collections vendor is the specific company that was breached

Clinical laboratory provider Quest Diagnostics has acknowledged that a billings collections vendor it works with suffered a data breach on its web payment system that may have exposed information of nearly 12 million of Quest’s patients.

The third-party company, Elmsford, N.Y.-based American Medical Collection Agency (AMCA), is contracted with Optum360 LLC, which in turn provides payment services to Quest Diagnostics.

In a filing with securities regulators, Quest said that between Aug. 1, 2018 and March 30, 2019, “an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself.”

The filing further noted that as of May 31, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people, and that the billings collection firm has been in contact with law enforcement regarding the incident.

The data breach potentially could have included the collection of patients’ financial information, such as credit card numbers and bank account information, as well as medical information and personal details such as Social Security numbers, Quest officials said on June 3, per the filing. However, they added that laboratory results weren’t given to AMCA and thus were not part of this breach.

In response to this incident, Quest said in its filing that it has suspended sending collection requests to AMCA, and has provided notifications to affected health plans, while ensuring that notifications are provided to regulators and others as required by federal and state law.

In an updated statement posted to its website, Quest officials said that “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected.  And Quest has not been able to verify the accuracy of the information received from AMCA.”

This is the second major public data breach of Quest, which operates more than 2,000 patient centers in the U.S. Back in December 2016, the company notified approximately 34,000 patients after their MyQuest patient portal was hacked and protected health information (PHI) was accessed and obtained.

Cybersecurity specialists were quick to release statements on June 3 following this latest incident. Ben Goodman, vice president of global strategy and innovation at ForgeRock, a software company that develops identity and access management technology, noted, “The information exposed in the latest breach of Quest Diagnostics can lead to serious implications for the patients affected. Malicious users can now open credit cards or take out loans, intercept tax refunds, cover medical treatment, open utility accounts and even take flights with victims’ airline miles.” Goodman added, “This is the second breach that Quest has suffered in three years, and as a publicly traded company, that can lead to serious repercussions with shareholder trust, stock price and brand reputation. The data exposed can also result in litigation…”