Quest Diagnostics said on Monday it was notified by a billing collections vendor that an unauthorized user gained access to information on nearly 11.9 million patients, including credit card numbers and bank account information.

The company has not received all the information about the incident from American Medical Collection Agency (AMCA) and has not been able to verify the accuracy of the information received from AMCA, the diagnostic information services provider said.

Optum360, a unit of UnitedHealth Group, was also notified of the breach, according to Quest’s regulatory filing. Optum360 provides customer billing services to Quest Diagnostics.

AMCA said the user had access between Aug. 1, 2018, and March 30, 2019, to its system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself.

The information also includes medical data and other personal details like social security numbers, AMCA told the company. Patient laboratory test results were not impacted by this incident, Quest Diagnostics said.

The company said it suspended AMCA collection requests. Quests said it was working with AMCA and Optum360, as well as outside security experts to investigate the incident and its potential impact on its patients.