Clinical lab testing titan Quest Diagnostics acknowledged in a press release on Monday that an “unauthorized user” had gained access to personal information on around 11.9 million customers, including some financial and medical data.
Per NBC News, news of the breach comes via way of a Securities and Exchange Commission filing in which Quest wrote that American Medical Collection Agency (AMCA), which provides billing collection services to Quest contractor Optum 360, had notified it of the breach in mid-May. NBC wrote that Quest said AMCA’s web payments page had possibly been compromised from Aug. 1, 2018 to March 30, 2019.
In its statement, Quest wrote that compromised information could include “certain financial data,” Social Security numbers, and some medical material—but not the results of laboratory tests on patients. It also wrote the extent of the breach remained unclear:
AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.
AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.
Quest added that it had “suspended” sending collections requests to AMCA. According to the Wall Street Journal, a spokesperson for Optum360 parent company UnitedHealth said their Optum360 systems were unaffected by the breach.
A firm representing AMCA issued a statement to NBC New York stating that AMCA had launched an internal investigation after being notified of a potential breach by a “compliance firm that works with credit card companies.” That firm also wrote that AMCA had hired an “external forensics” company to investigate the breach, brought on a third-party vendor to manage its web payments system, “retained additional experts,” and notified law enforcement of the incident.
“Hackers target financial companies, like this billing collection company, as they often store sensitive financial information that can be turned into immediate gains,” Giovanni Vigna, co-founder of security firm Lastline, told the Washington Post. “This kind of information is much more lucrative than personal health information that, at the moment, is not readily marketable by criminals.”
In May, federal prosecutors charged two individuals in connection with a breach at health insurance provider Anthem and other companies in 2014 that reportedly impacted some 78 million people. Prosecutors wrote in the indictment that the hackers worked with a sophisticated Chinese hacking organization and had conspired to use the data to commit wire fraud.
In other incidents, sensitive medical documents or related information have reportedly simply been left sitting on unprotected servers. Notable such situations have included an alleged trove of documents on 145,000 patients at a Pennsylvania addiction recovery treatment center discovered by Cloudflare director of trust and safety Justin Paine earlier this year, and a breach at the federal government’s Healthcare.gov portal in 2018 that may have exposed sensitive, but non-medical, data on up to 75,000 people.