Printed from BusinessInsurance.com

Clinical lab Quest announces collection agency’s data breach

Posted On: Jun. 3, 2019 3:49 PM CST

data breach

Clinical laboratory firm Quest Diagnostics Inc. said Monday that hackers have gained access to personal data on 11.9 million of its patients.

Secaucus, New Jersey-based Quest said it has been informed by a billing collections provider, Elmsford, New York-based American Medical Collection Agency, that an unauthorized user had access to AMCA’s system containing personal information on the patients.    AMCA provides billing collection services to a Quest contractor, Optum360, a unit of Minnetonka, Minnesota-based UnitedHealth Group. 

The statement said Quest and Optum360 are working with forensics experts to investigate the matter. It said AMCA first notified Quest and Optum360 of potential unauthorized activity on AMCA’s web payment page on May 14.

On May 31, it notified them that the data on affected system on AMCA’s affected system included information regarding about 11.9 million Quest patients, and that it believes this information includes personal information, including certain financial data, Social Security numbers and medical information, but not laboratory test results.

It said AMCA has not yet provided detailed or complete information about the incident, including which information of which individuals may have been affected and Quest has not been able to verify the accuracy of the information it has received from AMCA.

The statement said, “Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident we have suspended sending collection requests to AMCA.” It said it is working with Optum360 “to ensure that Quest patients are appropriately notified consistent with the law. We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more.”

UnitedHealthcare said in a statement, “While Optum360 data systems were not impacted by this situation, data security is critically important to us, and we are actively working with Quest and AMCA to understand this issue and ensure appropriate actions are being taken.”

AMCA said in a statement it is investigating the incident. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”

In April, it was announced that Yahoo had struck a revised $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history.