Quest Diagnostics, the medical testing company, said a data breach has affected about 11.9 million patients, after an “unauthorized user” gained access to financial data, Social Security numbers, and medical data, but not laboratory test results.
A collections agency called American Medical Collection Agency notified Quest about a potential intrusion on May 14 and then reported on the scope of the breach on Friday.
AMCA provides services to Optum360, a Quest billing contractor. Quest said it does not have details about which patients were affected and what data was stolen.
Quest “has not been able to verify the accuracy of the information received from AMCA,” Quest said in a statement posted on its website Monday. Quest has suspended collections requests through the agency, it said.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” the company said. It indicated that plans are in the works to begin notifying individual patients but did not give a timeline.
AMCA provided few details of the breach. It said in a prepared statement that it learned its security had been penetrated from a consultant working for credit-card companies.
It moved its payment portal to a third-party vendor and took other steps to beef up security, the agency said.
Optum360, which is part of UnitedHealth Group, did not respond to requests for comment.
A data security consultant said hackers are not interested in health care information, which is not easily monetized, but are hunting down firms that handle financial information for bank account and Social Security numbers.
“Hackers target financial companies, like this billing collection company, as they often store sensitive financial information that can be turned into immediate gains,” said Dr. Giovanni Vigna, co-founder of network security provider Lastline. “This kind of information is much more lucrative than personal health information, that, at the moment, is not readily marketable by criminals.”