Quest Diagnostics says data on nearly 12M patients exposed by breach

The affected system contained financial data and medical information, says the lab.

Carrie Mihalcik Former Managing Editor / News
Carrie was a managing editor at CNET focused on breaking and trending news. She'd been reporting and editing for more than a decade, including at the National Journal and Current TV.
Expertise Breaking News, Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Carrie Mihalcik
2 min read

Quest says it'll notify impacted patients.

James Martin/CNET

Quest Diagnostics said 11.9 million of its patients may have been exposed in a data breach of computer systems at the American Medical Collection Agency, a billings collection firm the medical lab works with.

An unauthorized user had access to the AMCA's web payments system, which contained personal information such as financial data, Social Security numbers and medical data, Quest said Monday in a release. The company said lab test results weren't affected by the breach. 

The AMCA first notified Quest of potential unauthorized activity on May 14, according to the release. Quest said it's still waiting on complete information from the AMCA and that it hasn't been able to verify the accuracy of the info it's received.

In a statement Monday, the AMCA said it notified law enforcement of the incident and hired an external forensics firm to help investigate the breach. 

"Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page," the company said in an emailed statement. "We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security."

Breaches continue to happen on a massive scale as companies collect data on millions of people and fail to properly protect it. Marriott experienced one of the largest personal data breaches in history, losing information belonging to 383 million guests, while hackers hit Yahoo and stole data belonging to 3 billion accounts. But just because your information is stolen doesn't mean you're helpless. You can, and should, change your passwords.

Quest said it's taking the matter "very seriously" and has suspended collections requests to the AMCA. Quest said patients will be notified and that it's working with forensic experts to investigate the breach.

Originally published June 3, 8:41 a.m. PT.
Update: 12:45 p.m.: Adds statement from the AMCA.