11.9 million patient records exposed in Quest data breach

Quest, which operates medical testing centers around the U.S., is working with law enforcement and UnitedHealth on the effects of the breach.

For eight months, an unauthorized user had access to personal information including credit card numbers and bank accounts, medical information, and personal information. (Image: Shutterstock)

An estimated 11.9 million patients’ personal and medical information may have been exposed in a data breach of a collections agency that works with Quest Diagnostics Inc. and the insurer UnitedHealth Group Inc.

Quest said in a securities filing that it had been informed of the breach by American Medical Collection Agency, an Elmsford, New York-based collections firm. For eight months, an unauthorized user had access to personal information including credit card numbers and bank accounts, medical information, and personal information such as Social Security numbers.

Related: Data breach stalls HealthCare.gov’s direct enrollment system

Quest, which operates medical testing centers around the U.S., said it has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth on the effects of the breach. Quest said it was informed of the incident on May 14.

Medical records are a frequent target of hackers. Along with financial information, they often contain personal health information as well as identifying data like social security numbers that can provide a richer tapestry of information for identity theft.

Quest said it hadn’t been able to verify information about the hack shared with it by AMCA. It wasn’t immediately clear if other health-care companies had been affected.

Shares of Quest were up less than 1% to $96.51 at 9:55 a.m. in New York.

Read more: 

Copyright 2019 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.