A backend healthcare system containing the medical and financial information of 11.9 million people has been breached, Quest Diagnostics Inc. disclosed today.

The company, a major blood testing lab with 45,000 employees worldwide, detailed the incident in a filing with the Securities and Exchange Commission. The breach took place at a New York-based collection firm called American Medical Collection Agency that has been providing billing services for Quest. For an eight-month period between last August and this March, an “unauthorized user” had access to a system the firm used to store patient information.

The compromised information contained numerous sensitive records. According to Quest’s disclosure, the repository included Social Security numbers, financial data such as bank account details and certain unspecified medical information.

The company said that there weren’t any lab results among the records. That’s good news for Quest patients, but the hack still amounts to a major breach of privacy. The filing doesn’t specify if the information in the compromised system was encrypted or if it was stored in an unprotected, plain text format that could be easily read.

Quest did, however, divulge that the system contained information shared with AMCA by “various entities,” which leaves open the possibility other healthcare providers’ patients may have been compromised as well. In response to the incident, Quest has stopped sending bills to AMCA and contracted external cybersecurity experts to investigate. 

The company “has been working and will continue to work diligently, along with Optum360 [its billing management provider], AMCA and outside security experts, to investigate the AMCA data security incident and its potential impact on Quest Diagnostics and its patients,” Quest deputy general William O’Shaughnessy wrote in the filing.

The breach is not the first time Quest patients’ data has been stolen. In 2016, hackers breached the company’s network and made away with information belonging to 34,00 people, including sensitive records such as lab results and dates of birth.

This latest hack comes only weeks after cybercriminals broke into a database operated by an SMS marketing company that contained records about 80 million users. More recently, the federally operated HealthCare.gov online insurance exchange suffered a breach that affected 75,000 people.

Photo: Quest Diagnostics