A massive data breach has struck Quest Diagnostics and the information of up to 11.9 million patients has potentially been compromised.
On Monday, the US clinical laboratory said that American Medical Collection Agency (AMCA), a billing collections provider that works with Quest, informed the company that an unauthorized user had managed to obtain access to AMCA systems.
Through the Quest contractor, the unknown individual was able to access -- and potentially steal -- Quest patient data including Social Security numbers, medical information, and financial data.
Quest has not revealed what forms of financial data have been exposed, such as whether card numbers or security codes are included, or whether or not encryption was in place to protect this information.
Quest says that unauthorized activity took place on "AMCA's web payment page," which may suggest a card skimmer was in play. (These kinds of attacks are the specialization of Magecart, a group which has compromised British Airways, Ticketmaster, and other major brands in the past.)
Laboratory test results are not believed to have been compromised.
Quest was made aware of the breach on May 14, but has not been able to verify AMCA's statement, nor does the company know exactly which patients have been involved. Once the firm has a better understanding of the situation, impacted patients will be told.
Since learning of the data breach, AMCA collection requests have been suspended.
Law enforcement has been notified and a cyber forensics firm has been hired to investigate the security incident.
"We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems' security," Quest said in a statement.
It was only last week that one of New York's largest non-profits, a provider of residential and community care for vulnerable members of society, experienced a similar data breach -- albeit on a far smaller scale. People Inc. said that the financial and medical data of clients may have been exposed.
Previous and related coverage
- US to demand five years of your social media, email account info in visa application
- ISPs must now ask for permission before selling your data, Maine rules
- One of New York's largest nonprofits suffers data breach
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0