Almost 12 million patients of Quest Diagnostics have had their data compromised following a cybersecurity incident at American Medical Collection Agency (AMCA).
AMCA, a billing collections company based in New York, informed Quest Diagnostics that 11.9 million of their patients had been impacted after a hacker had gained access to AMCA’s systems.
Quest Diagnostics, one of the US’s largest blood testing facilities, has stated that AMCA has yet to provide them with ‘detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected’.
AMCA provides services to several different medical providers. The quantity of Quest Diagnostics files compromised alone places this breach among the worst in United States history. As more information about the incident is released, it is likely that more entities will announce that they have been affected.
The 2015 Anthem data breach is the current record-holder for the worst data breach, with 78.8 million files affected.
Researchers at Gemini Advisory, a cybersecurity company, first identified the breach at AMCA in May 2019. Gemini notified AMCA when they discovered 200,000 patients’ credit card details for sale on the dark web. However, AMCA did not respond to Gemini’s warning, so Gemini instead reported their findings to databreaches.net. The researchers determined that a hacker had stolen the credit card details between September 2018 and March 2019. Gemini also reported the breach to relevant law enforcement authorities.
AMCA provides billing collection services to Optum360, a business associate of Quest Diagnostics and a unit of the health insurer UnitedHealth Group. AMCA notified Quest Diagnostics and the revenue cycle management vendor Optum360 about the breach on May 14, 2019.
In their notification, AMCA stated that a breach had occurred that resulted in the exposure of patient data between August 1, 2018, and March 30, 2019. AMCA has contracted a third-party computer forensics firm to assist with their investigation into the breach.
AMCA has yet to release an exact figure of the number of patients affected by the breach but has told Quest Diagnostics that the likely number is to be around 11.9 million. AMCA also confirmed the compromised system contained data from entities other than Quest Diagnostics but has not released information on which other organisations or how many individuals are affected.
The hackers gained access to systems containing information such as names, personal information, Social Security numbers, financial information, and medical information. The hacker could not access laboratory test results while they had access to AMCA’s system.
Quest Diagnostics has issued a statement saying it is working closely with Optum360 and will send notification letters to all affected individuals when AMCA provides full details of the breach, stating that they are ‘committed to keeping our patients, health care providers, and all relevant parties informed as [we] learn more’.
Quest also said in a statement that they have “not been able to verify the accuracy of the information received from AMCA.”