Quest Diagnostics Says Nearly 12 Million Patients’ Records May Have Been Breached

Getty Images  Cultura RF

Getty Images Cultura RF

On Monday, the U.S. clinical laboratory said that American Medical Collection Agency (AMCA), a billing collections provider that works with Quest, informed the company that an unauthorized user had managed to obtain access to AMCA systems.

Quest has since suspended sending collection requests to AMCA. Quest outsources its billing collections to Optum360, which in turn used American Medical Collection Agency for such services.

AMCA did not store the results of any medical tests and only had access to general information about patients' medical history.

Until more is known, Quest Diagnostics will stop using that data management provider and patients whose data was compromised will be contacted by the companies.

On May 31, Quest said it learned that the breach affected 11.9 million Quest Diagnostics patients.

"This latest data breach at Quest Diagnostics is another example of cybercriminals taking advantage of weaknesses in a third-party vendor's security to gain access to a treasure trove of sensitive financial and personal data on 12 million people", said Jason Hart, CTO for the enterprise and cybersecurity division at digital security company Gemalto, a part of Thales.

Law enforcement has been notified and a cyber forensics firm has been hired to investigate the security incident.

It's the second breach affecting Quest customers in three years. "This kind of information is much more lucrative than personal health information, that, at the moment, is not readily marketable by criminals", commented Dr. Giovanni Vigna, co-founder and CTO of Lastline. The statement added: For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. "Users should monitor their credit cards and bank accounts for unusual activity, and, in addition, freeze their credit reports". Quest also hasn't been able to independently verify the information provided by AMCA so far, it said.

"Action can be taken to freeze information at the credit bureaus and indicate that financial information has been compromised". The company has are dozens of locations across the Bay Area.