Quest Diagnostics, the world's largest blood-testing company, said Monday that nearly 12 million patients may have had personal information exposed in a data breach. The information includes financial data, Social Security numbers and medical records, though the company said laboratory test results were not exposed.
The breach happened through a contractor of a contractor. Quest outsources its billing collections to Optum360, which in turn used American Medical Collection Agency for such services. AMCA told Quest on May 14 that it suffered a possible incident, but it's unclear exactly when a hack might have occurred. Quest said it doesn't have "detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected."
Quest also said it hasn't been able to verify the accuracy of the information received from AMCA. Quest said that it hasn't used AMCA for collections since it learned of the incident and that it is "working with forensic experts to investigate the matter."
Quest provides lab testing services to about half of the doctors and hospitals in the U.S., according to securities filings.