Clinical laboratory firm Quest Diagnostics Inc. has admitted exposure of personal information of nearly 11.9 million customers after its web payment page was accessed by an unauthorized individual.
In a press release, the company revealed that its billing system, which is managed by the Quest contractor called Optum360’s hired vendor American Medical Collection Agency (AMCA), was invaded by an unauthorized user.
According to the company, the breach led to the exposure of critical personal data including Social Security Numbers, bank account data, credit card numbers, and medical history and other information but luckily test results weren’t exposed.
Quest Diagnostics is a Fortune 500 company that mainly provides diagnostic services. The breach was reported on May 14 initially by its billing system provider AMCA and later both Quest Diagnostics and AMCA notified US Securities and Exchange Commission (SEC) about the data exposure.
After a while, AMCA provided detailed information about the data breach to both Optum360 and Quest Diagnostics such as the number of affected patients and the kind of data that was accessed. Quest Diagnostics has since stopped using the billing system provided by AMCA and forensic experts are roped in to investigate the incident.
According to Optum360, its own data systems weren’t accessed at all and hence, these remain unaffected by the data breach. However, it further stated that security was extremely important for them and their team is “actively working with Quest and AMCA to understand this issue and ensure appropriate actions are being taken.”
AMCA has also stated that the incident is under investigation and that its team is committed to ensuring optimal data privacy, system security, and safeguarding of private information of its users including patients and health care providers.
Interestingly, the stock for Quest Diagnostics wasn’t affected by this data breach. In its detailed notification sent to the SEC, Quest Diagnostics and AMCA revealed more details about the incident. According to the notification, the breach was observed between August 1, 2018, and March 30, 2019.
Moreover, the information accessed by the unauthorized user was collected by the AMCA from a variety of different entities one of which was Quest Diagnostics. Quest Diagnostics has not only suspended requests collection to the AMCA after the incident but also sent notifications to the affected health plans and regulators so as to remain compliant with the federal and state law.