Editor's Note: This story has been updated to include a statement from American Medical Collection Agency
Medical testing company Quest Diagnostics says 11.9 million customers may have had their medical and financial information compromised due to a data breach at a third-party billing company.
The company revealed the data breach in a filing Monday with the Securities and Exchange Commission.
Billing collections vendor American Medical Collection Agency notified Quest Diagnostics and Optum360, Quest Diagnostics’ revenue cycle management provider, on May 14 of potential unauthorized activity on AMCA’s web payment page, according to the SEC filing.
On May 31, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information including certain financial data, Social Security numbers and medical information, but not laboratory test results, Quest Diagnostics said in a press release about the security incident.
AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter, Quest said.
The unauthorized user had access to AMCA's system and the customer information between Aug. 1, 2018, and March 30, 2019.
"AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA," Quest said.
Quest Diagnostics' laboratory test results were not given to AMCA and therefore weren't impacted by the breach, the company said.
AMCA released a statement Monday evening confirming that the company is investigating a data incident involving an unauthorized user accessing its system. The company received word from a security compliance firm that works with credit card companies of a possible security compromise.
AMCA said it conducted an internal review, and then took down its web payments page. "We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security," the company said.
AMCA also said it advised law enforcement of this incident. "We remain committed to our system’s security, data privacy, and the protection of personal information," AMCA said.
It's the second breach affecting Quest customers in three years. In 2016, the company reported a breach into its MyQuest app that exposed the personal health data of about 34,000 people.
"This latest data breach at Quest Diagnostics is another example of cybercriminals taking advantage of weaknesses in a third-party vendor’s security to gain access to a treasure trove of sensitive financial and personal data on 12 million people," said Jason Hart, chief technology officer for the enterprise and cybersecurity division at digital security company Gemalto, a part of Thales.
In response to this incident, Quest Diagnostics has suspended sending collection requests to AMCA and provided notifications to affected health plans, the company said in the filing. The company will ensure notification is provided to regulators as required by federal and state law.
The company "has been working and will continue to work diligently, along with Optum360, AMCA and outside security experts to investigate the AMCA data security incident and its potential impact on Quest Diagnostics and its patients."
"Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA," the company said in the press release.
There are basic steps businesses can take to reduce the impact of data breaches and keep sensitive customer data from being compromised, Hart said. The first step is to control user access to the data through multifactor authentication so only the right individuals can access it. Second, Hart said, is to encrypt the data and secure the encryption keys so cybercriminals can’t access the data and monetize it.
"Only through encryption can you remove the return on investment for cybercriminals to want to steal the data in the first place," Hart said.