Quest Diagnostics: Medical info of 11.9M compromised in breach

The unauthorized access also included Social Security numbers, credit card data and banking information – but not laboratory results, the company said.
By Mike Miliard
04:02 PM

A massive data breach at Quest Diagnostics has exposed the medical and financial information of as many as 11.9 million patients, according to the laboratory giant.

Quest Diagnostics says that one of its outsourced vendors, American Medical Collection Agency, discovered an unauthorized user had gained access to an AMCA system that was connected to data from companies including Quest.

According to AMCA, which does billing collections for Optum360, a Quest contractor, this unauthorized person had access to the network for eight months – between Aug. 1, 2018, and March 30, 2019.

"The system contained sensitive data, including credit card numbers, bank account information, medical information and Social Security numbers," said Quest officials in a statement. "Lab results were not provided to AMCA and were not exposed in the breach."

Quest Diagnostics said that while it and Optum360 are working with forensic experts to learn more about the circumstances, "AMCA has not yet provided Quest with complete or detailed information about the breach and it has not been able to verify the accuracy of the information."

Even if the number of patients impacted by the Quest Diagnostics incident doesn't increase, the reported total is already up there with some of the largest-ever breaches in healthcare. In fact, it may be the second-biggest ever.

The reported totals are still smaller than the 79 million records compromised in the record-setting Anthem breach of 2015, but they're bigger than the Premera Blue Cross and Excellus BlueCross BlueShield breaches (more than 11 million and 10 million, respectively) that also took place that year – and used to hold the 2nd and 3rd spots on the list of healthcare's biggest breaches.

"Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information," said the lab giant in a statement. "Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.

"Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law," officials said. "We are committed to keeping our patients, healthcare providers, and all relevant parties informed as we learn more."

Twitter: @MikeMiliardHITN
Email the writer:

Healthcare IT News is a publication of HIMSS Media.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.