Quest Diagnostics, a top medical testing lab, has revealed 12 million customer records including social security numbers and financial and medical data “may have” been hacked through a debt collector’s servers.
“Financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)” of 11.9 million Quest customers may have been breached after servers belonging to Quest’s billing collections vendor AMCA were compromised by an “unauthorized user” between from August 2018 and March 2019, the company said in a securities filing on Monday.
Quest has been unable to get the full story from AMCA for nearly three weeks after learning of the breach, but attempted to reassure shareholders that there was a silver lining, of sorts: at least the collections agency didn’t have access to patients’ actual test results, and only “broad” medical information could have been stolen alongside the identity and bank data.
While the breach became public on May 10, when researchers with cybersecurity firm Gemini Advisory found credit card payment information for about 200,000 individuals that appeared to originate with AMCA for sale on the dark web, AMCA has not yet turned over “detailed or complete information” to Quest about the vulnerability, according to the SEC filing. The company only learned how many customers were potentially affected last week.
“Quest is taking this matter very seriously” and has “suspended sending collection requests to AMCA,” the company said in a press release about the incident, though they admitted they were “not able to verify the accuracy of the information received from AMCA.”
Quest serves half the hospitals and physicians in the US, and one in three adult healthcare customers, according to its website. It’s not the first time those customers have had their personal data strewn across the web, though the AMCA breach affects many more people than a 2016 hack that saw 34,000 patients’ personal and medical information – including lab results – stolen.
Healthcare record hacking has become big business; by 2016, one in three American adults had had their healthcare records compromised.