SECAUCUS, NJ – A data breach at a company associated with a major provider of diagnostic testing services has exposed the personal information of millions of patients, according to a filing with the Securities and Exchange Commission.
The data breach was at American Medical Collection Agency, compromising the records of an estimated 11.9 million patients of Quest Diagnostics.
Headquartered in Secaucus, Quest operates offices throughout Bergen County in Teterboro, Hackensack, Paramus, Rutherford, Teaneck, and Englewood.
The SEC filing Monday morning states that personal, financial and medical information was exposed.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” the Secaucus-based medical laboratory company said in a press release. “Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.”
Also notified of the breach was Optum 360, the manufacturer of what its website calls a “revenue management solution” that is used by 80 percent of U.S. hospitals, and which partnered with Quest in 2016.
The SEC filing reports that the AMCA notified Quest Diagnostics and Optum 360 on May 14 of “potential unauthorized activity on AMCA’s web payment page” that occurred between August 1, 2018 and March 30, 2019.
"Given the deluge in recent years of data breaches exposing personal, medical and financial information, every American should assume the security of that information has been compromised," said Rob Douglas, national identity theft and fraud expert. "For that reason, everyone should place a security freeze on their credit files with Experian, Transunion, Equifax, and Innovis, as means of preventing fraud. Further, be sure that you have two-factor authentication on any account - including your cell phone and email - that contains personal, medical and financial information."
Quest Diagnostics and Optum 360 requested information from AMCA about the breach, but AMCA has yet to provide complete, detailed information about the incident to them, the SEC report also said.
AMCA did, however, provide some information to the affected companies including the dates of the unauthorized access to their systems, the type of data to which the user had access, and the number of patients whose data was affected. The AMCA also told Quest and Optum that it has been in contact with law enforcement about the incident.
Quest noted in its filing that it has been unable to verify the accuracy of the information AMCA provided.
In a statement, AMCA said it is investigating "a data incident involving an unauthorized user" accessing its system. When notified by a credit card company security compliance firm "of a possible security compromise, we conducted an internal review, and then took down our web payments page," it said.
The company then hired a third-party external forensics firm to investigate the potential security breach to its systems, moved its web payments portal to a third-party vendor "and retained additional experts to advise on, and implement, steps to increase our systems’ security."
The company siad it notified law enforcement and is "committed to our system’s security, data privacy, and the protection of personal information."
AMCA’s breached system included financial information such as credit card numbers and bank account information, medical information, and personal information such as Social Security numbers, according to Quest’s SEC filing in which it detailed information that AMCA had provided.
Quest confirmed in its filing that no laboratory results were compromised since no laboratory information was provided to AMCA.
This is not Quest’s first brush with data security issues.
In December 2016, hackers stole 34,000 customers’ personal and medical information. At the time, Quest said it was taking steps to prevent similar incidents in the future, saying in a statement that it was “working with a leading cybersecurity firm to assist in investigation and further evaluating the company’s systems.”
Editor's note: This article has been updated to include the statement received from AMCA.