Quest Diagnostics on Monday said nearly 12 million of its patients have had personal data exposed as a result of a cybersecurity incident at a billing collections vendor.
The vendor, American Medical Collection Agency, provides services to one of Quest's revenue-cycle contractors, Optum360.
AMCA in May notified Optum360 and Quest that an unauthorized user had accessed the company's web payment system, including data on roughly 11.9 million Quest patients. That data included financial information, Social Security numbers and medical information, but not laboratory test results, according to AMCA.
Quest has since suspended sending collection requests to AMCA.
Quest said AMCA has provided neither Quest nor Optum360 with "detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected." Quest also said it has not been able to verify the accuracy of the information AMCA has sent about the incident to date.Quest and Optum360 are working with forensic experts to further investigate the incident.
In an emailed statement, AMCA said its investigation into the cybersecurity incident is ongoing.
AMCA added that it has migrated its web payment portal services to a third-party vendor since learning of the unauthorized access. The company is working with outside experts to improve its security.
"We remain committed to our system's security, data privacy and the protection of personal information," the company said.