On June 3, 2019, Quest Diagnostics filed a Form 8-K with the SEC which stated:
On May 14, 2019, American Medical Collection Agency (AMCA), a billing collections vendor, notified Quest Diagnostics Incorporated (“Quest Diagnostics”) and Optum360 LLC, Quest Diagnostics’ revenue cycle management provider, of potential unauthorized activity on AMCA’s web payment page. Quest Diagnostics and Optum360 promptly sought information from AMCA about the incident, including what, if any, information was subject to unauthorized access. Although Quest Diagnostics and Optum360 have not yet received detailed or complete information from AMCA about the incident, AMCA has informed Quest Diagnostics and Optum360 that:
- between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself;
- the information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers);
- as of May 31, 2019, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people; and
- AMCA has been in contact with law enforcement regarding the incident.
Quest Diagnostics has not been able to verify the accuracy of the information received from AMCA.
Quest Diagnostics’ laboratory test results were not provided to AMCA and were therefore not impacted by this incident. [Emphasis added.]
According to Forbes.com, this data breach is ” . . . a significantly bigger security breach than the one Quest experienced in late 2016. In that incident, the health information of 34,000 customers was breached.”