Massive Quest Diagnostics data breach impacts 12 million patients

Financial and medical information has potentially been exposed.
Written by Charlie Osborne, Contributing Writer

A massive data breach has struck Quest Diagnostics and the information of up to 11.9 million patients has potentially been compromised.

On Monday, the US clinical laboratory said that American Medical Collection Agency (AMCA), a billing collections provider that works with Quest, informed the company that an unauthorized user had managed to obtain access to AMCA systems.

Through the Quest contractor, the unknown individual was able to access -- and potentially steal -- Quest patient data including Social Security numbers, medical information, and financial data.

Quest has not revealed what forms of financial data have been exposed, such as whether card numbers or security codes are included, or whether or not encryption was in place to protect this information.

See also: Unsecured database exposes 85GB in security logs of major hotel chains

Quest says that unauthorized activity took place on "AMCA's web payment page," which may suggest a card skimmer was in play. (These kinds of attacks are the specialization of Magecart, a group which has compromised British Airways, Ticketmaster, and other major brands in the past.)

Laboratory test results are not believed to have been compromised.

Quest was made aware of the breach on May 14, but has not been able to verify AMCA's statement, nor does the company know exactly which patients have been involved. Once the firm has a better understanding of the situation, impacted patients will be told.

Since learning of the data breach, AMCA collection requests have been suspended.

TechRepublic: Employees beware: 33% of CEOs will fire you if you cause a cybersecurity breach

Law enforcement has been notified and a cyber forensics firm has been hired to investigate the security incident.

"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," Quest said in a statement.

CNET: Apple updates App Store guidelines with further protections for kids

It was only last week that one of New York's largest non-profits, a provider of residential and community care for vulnerable members of society, experienced a similar data breach -- albeit on a far smaller scale. People Inc. said that the financial and medical data of clients may have been exposed.  

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards