Breach exposes data of 11.9M Quest Diagnostics patients

Clinical and financial data of 11.9 million patients served by Quest Diagnostics, a nationwide healthcare laboratory chain, has been exposed through a breach of one of its vendors.

American Medical Collection Agency, an Elmsford, N.Y.-based billing and collections business associate of Quest, told Quest that an unauthorized user had access to AMCA’s system containing personal information that AMCA received from various entities, including Quest.

AMCA also provides billing and collections services to Optum360, which is a Quest contractor. Quest and Optum360, a division of UnitedHealth Group learned of the breach on May 14, after unauthorized activity was discovered on AMCA’s web payment page.

Some reports suggest that the data exposure had been in effect for eight months.

On May 31, AMCA told Quest and Optum360 that data at risk includes personal information, financial data, Social Security numbers and medical information. Laboratory test results were not compromised.

Quest Diagnostics HQ-CROP.jpg
Quest Diagnostics headquarters are seen in Teterboro, New Jersey, April, 2, 2002. The biggest medical laboratory company, agreed to buy Unilab Corp., California's largest provider of diagnostic testing services, for $1.1 billion. Photographer: Emile Wamsteker/ Bloomberg News.

In a statement, Quest Diagnostics says it has not yet received detailed or complete information about the incident, and it is not certain which information of individuals may be affected. Quest further has not yet been able to verify the accuracy of information from AMCA.

For now, Quest has stopped sending collection requests to AMCA. Quest will work with Optum360 to ensure Quest patients are appropriately notified. “We are committed to keeping our patients, healthcare providers and all relevant parties informed as we learn more,” the company said in a brief statement.

In a statement, American Medical Collection Agency said that it’s investigating the incident. It said it has taken down its web payments page, moved its online payments portal services to a third-party vendor, and retained security experts. UnitedHealth said its computer systems were not impacted by the incident.

In addition to providing lab services, Quest also sells a suite of information management systems and conducts clinical trials.

For reprint and licensing requests for this article, click here.