A data breach at a collection agency has exposed the personal information — including credit card numbers, bank account numbers, and Social Security numbers — of nearly 12 million patients of Quest Diagnostics, the lab company announced yesterday.
The collection agency — American Medical Collection Agency — notified Quest on May 14. It said that an unauthorized user had access to AMCA’s web payment page for nearly eight months, between August 2019 and March 2019.
Quest announced the data breach in a filing with the Securities and Exchange Commission and via a press release. AMCA has disabled its web payment portal in response to the incident.
“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” AMCA said in a statement. “We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security.”
In response to the breach, Quest has stopped sending accounts to AMCA started notifying all affected health plans and regulators, and is working with AMCA and Optum360 — Quest’s revenue cycle management vendor — to investigate the incident.
AMCA has been in contact with law enforcement regarding the breach, according to Quest’s SEC filing. AMCA provides billing and collection services to Optum360. Quest said it has not received “detailed or complete information from AMCA about the incident” and it “has not been able to verify the accuracy of the information received” from the collection agency.
Published reports used the news of the breach to point out that cybercriminals are going after third parties to gain access to more personal information. Many collection agencies believe they are not big enough to be on the radar screens of hackers, but hopefully this news will show the industry that this is definitely not the case.
“This latest data breach at Quest Diagnostics is another example of cybercriminals taking advantage of weaknesses in a third-party vendor’s security to gain access to a treasure trove of sensitive financial and personal data on 12 million people,” said Jason Hart, Chief Technology Officer for the enterprise and cybersecurity division at digital security company Gemalto, a part of Thales.