Quest Diagnostics, one of largest providers of diagnostic testing in the US, today confirmed that nearly 12 million customers may have had information compromised due to a data breach. American Medical Collection Agency (AMCA), a billing collections service provider notified Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest. AMCA provides billing collections services to Optum360, a Quest contractor.
Incident Timeline
AMCA first notified Quest and Optum360 on May 14, 2019 of potentially unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.
Next Steps
Quest and Optum360 are working with forensic experts to investigate the matter. AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. Quest has not been able to verify the accuracy of the information received from AMCA.
Since notification of the incident, Quest has suspended sending collection requests to AMCA. Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law.
Industry Expert Speaks Out
“Online payments always present a slew of security risks, especially when personal and health information might be exposed alongside the financial concerns. The risks may include credential stuffing, client-side vulnerabilities such as XXS, as well as server side vulnerabilities including remote code execution and server-side request forgery. When payment is subcontracted, as in the case of QuestDiagnostics, both sides need to be doubly concerned by the security of the APIs. Internet transactions are only as secure as the people and the tools safeguarding them,” said Ivan Novikov – CEO of AI-powered application security company Wallarm, white hat hacker and penetration tester.
AMCA Statement
“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system. Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”