
Quest Diagnostics said Monday that a potential breach on the web payment page of its billings collection vendor exposed financial and medical information of 11.9 million patients.
The New York-based clinical laboratory provider said that, between Aug. 1, 2018 and March 30, 2019, an unauthorized user had access to the American Medical Collection Agency (AMCA) system containing information that AMC had received from Quest Diagnostics and others, according to a filing with the U.S. Securities and Exchange Commission (SEC). This information was provided to Quest by AMCA.
The information on AMCA's affected system included medical information, financial information such as credit card numbers and bank account information, and other personal information like Social Security Numbers, according to the Quest filing. Quest said its laboratory tests were not provided to AMCA, and therefore weren't impacted by the breach.
[Related: ConnectWise CEO Defends Security Stance In Wake Of Wipro Breach]
"Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients' personal, medical and financial information," the company wrote in its filing.
The number of Quest Diagnostics patients with information on AMCA's affected system as of March 30 was approximately 11.9 million people, the company said. Quest said that AMCA has been in contact with law enforcement regarding the breach.
Quest said it has insurance coverage in place for certain potential liabilities and costs related to the breach. The insurance coverage, however, is limited in amount and subject to a deductible, according to Quest.
In response to the breach, Quest said it has stopped sending collection requests to AMCA. The company has also been working with outside security experts, AMCA and revenue cycle management provider Optum360 to investigate the AMCA breach as well as its potential impact on Quest Diagnostics and its patients.
Quest said it has provided notifications to affected public health plans, and will ensure that notification is provided to regulators and others as required by federal and state law.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Carbonite
Cloud Storage 360

Application Integration 360

Tenable
Cyber Risk 360

NPD
Industry Trends 360

Channel Chief Showcase

Smart 3rd Party
3rd Party Maintenance 360

Cradlepoint
5g for Business 360

Cato Networks
SASE & SD-WAN 360

Trend Micro
Trend Micro Learning Center

HubStor
Cloud Backup 360

CyberPower
CyberPower

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

Fujifilm
Fujifilm

BlackBerry
BlackBerry Learning Center

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Comm100
Collaboration & Communications 360

Partner Program Guide Showcase

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Hitachi Vantara
Hitachi Vantara

eSentire
Managed Detection and Response 360

Terranova Security
Cybersecurity 360

N-able
MSP Automation Solutions 360

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Cyber Protection 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

iboss
Cloud SASE Platform 360

Vonage
Vonage

Sherweb
Sherweb

Vertiv
Edge Computing Learning Center
