About 11.9 million Quest Diagnostics patients may have had their financial, medical and other personal information exposed in a data breach, the company said Monday.

In a filing with the Securities and Exchange Commission, Quest said a billing collections vendor, American Medical Collection Agency, notified it last month of potential unauthorized activity on AMCA’s web payment page. AMCA provides billing collections services to Optum360, which is a Quest contractor. An unauthorized user had access to the system between Aug. 1, 2018, and March 30, 2019, Quest said.

The system contained sensitive data, including credit card numbers, bank account information, medical information and Social Security numbers, Quest said. Lab results were not provided to AMCA and were not exposed in the breach. AMCA thinks 11.9 million Quest patients were affected as of May 31, 2019, Quest said.

AMCA has not yet provided Quest with complete or detailed information about the breach and it has not been able to verify the accuracy of the information, Quest said.

“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” the company said in a press release. “Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.” Quest and Optum360 are investigating the situation with forensic experts, Quest said.

AMCA did not immediately respond to a request for comment.