In a press release on Monday, the Clinical Lab Testing Titan, Quest Diagnostics, stated that an "unauthorized user" had access to personal information from approximately 11.9 million customers including some financial and medical data.
According to NBC News, the breach is reported through a Securities and Exchange Commission, where Quest said that the American Medical Collection Agency (AMCA), which provides contractor Optum 360 with billing services, had reported the breach mid-year , NBC wrote that according to Quest, the AMCA Payments website may have been compromised from August 1, 2018 to March 30, 2019.
In its statement, Quest wrote that compromised information could include "certain financial data," social security numbers, and other data-medical material – but not the results of laboratory tests on patients. It was also noted that the extent of the infringement remained unclear:
AMCA believes that this information contains personal data, including certain financial data, social security numbers and medical information, but not laboratory test results.
AMCA has not yet deployed Quest, or Optum360 has provided detailed or complete information about the AMCA privacy incident, including information about which individuals may be affected. And Quest was unable to verify the accuracy of the information received from AMCA.
Quest added that the sending of collection requests to AMCA was "suspended". According to the Wall Street Journal, a spokesman for the Optum360 parent, UnitedHealth, said its Optum360 systems were not affected by the breach.
A company representing AMCA made a statement to NBC New York that AMCA had initiated an internal investigation following notification, a possible breach by a "compliance firm that works with credit card companies." The company also wrote that AMCA had commissioned an "external forensics company" to investigate the infringement and mandated a third-party vendor to manage its Web payment system. has called in additional experts "and informed the law enforcement about the incident.
Security experts widely believe that the number and severity of serious data breaches are increasing, with health-related systems as one of its key objectives.
"Hackers target financial companies like this collection agency because they often store sensitive financial information that can be converted into immediate profits," said Giovanni Vigna, co-founder of security firm Lastline, to the Washington Post. "This type of information is far more lucrative than personal health information that can not be readily marketed by criminals."
In May, the Federal Attorney's Office filed charges against two people in connection with a violation of the health insurance company Anthem and other companies in 2014, which reportedly affected around 78 million people. In the indictment, the prosecution wrote that the hackers had collaborated with a sophisticated Chinese hacking organization and plotted to use the data to commit cable fraud.
Other incidents reportedly left confidential medical documents or related information behind on unprotected servers. These included a series of documents from over 145,000 patients in a Pennsylvania Addiction Recovery Treatment Center discovered earlier this year by Cloudflare Trust and Security Director Justin Paine, as well as a violation of the Federal Government's Healthcare.gov portal Year 2018 exposed sensitive but not medical data of up to 75,000 people.