Quest Diagnostics Reports Nearly 12 Million Patients Suffered Data Violation

About 11.9 million Quest Diagnostics patients were able to see their financial, medical and other personal information exposed as part of a data breach, the company said on Monday.

In a document filed with the Securities and Exchange Commission, Quest announced that a billing system provider, American Medical Collection Agency, had informed it last month of a possible unauthorized activity on the online payment page of the AMCA. AMCA provides bill collection services to Optum360, a Quest contractor. An unauthorized user had access to the system between August 1, 2018 and March 30, 2019, said Quest.

The system contained sensitive data, including credit card numbers, bank account information, medical information and social security numbers, said Quest. Laboratory results were not provided to the AMCA and have not been exposed in the breach. According to AMCA, 11.9 million Quest patients were affected by May 31, 2019.

AMCA has not yet provided Quest with complete or detailed information about the breach and has not been able to verify their accuracy, Quest said.

"Quest takes this case very seriously and is committed to protecting the privacy and security of our patients' personal information," the company said in a press release. "Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA." Quest and Optum360 are investigating the situation with forensic experts, Quest said.

ACMA stated in a statement to CNBC that it "investigated a data incident involving an unauthorized user" accessing its system. The company said that after a security compliance company working with credit card companies alerted ACMA of a possible security compromise, it had conducted an internal review and had deleted his payment page on the Web.

The ACMA announced that it hired a third-party forensic law firm to conduct a survey, migrated its Web payment portal services to a third-party provider, and recruited more experts to advise and implement measures to strengthen the security of its systems. The company also said it informed the forces of the order of the incident.

The company added, "We remain committed to the security of our system, the confidentiality of data and the protection of personal information."