Update: Added official statements from Quest Diagnostics and AMCA regarding the breach at the end of the article.

Quest Diagnostics Incorporated, a Fortune 500 diagnostic services provider, says that approximately 12 million of its clients may have been impacted by a data breach reported by one of its billing providers.

The company reported to the U.S. Securities and Exchange Commission (SEC) that it received a notification from its billing collection provider American Medical Collection Agency (AMCA) that their web payment page was breached.

According to its website, AMCA is "managing over $1BN in annual receivables for a diverse client base" and it is the "leading recovery agency for patient collection," servicing "laboratories, hospitals, physician groups, billing services, and medical providers all across the country."

As detailed in the SEC notification from Quest Diagnostics, AMCA informed the company that "between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself."

Quest Diagnostics states that it took the following measures after being informed of the incident:

• suspended sending collection requests to AMCA;

• provided notifications to affected health plans and will ensure that notification is provided to regulators and others as required by federal and state law; and

• been working and will continue to work diligently, along with Optum360, AMCA and outside security experts, to investigate the AMCA data security incident and its potential impact on Quest Diagnostics and its patients.

The notification also says that the information that could be accessed during the security breach includes financial information such as bank account data and credit card numbers, as well as medical and personal information like Social Security Numbers.

"As of May 31, 2019, AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people," also says the SEC notification.

Quest Diagnostics said that it has not been able to confirm the accuracy of the info received from AMCA, and that no laboratory test results were impacted by the security incident since they were not provided to AMCA.

The diagnostic information services provider added that it "takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information."

AMCA told Quest Diagnostics that they have been "in contact with law enforcement regarding the incident" but has not yet provided "detailed or complete information" regarding the breach.

Quest Diagnostics sent BleepingComputer an official statement saying that the unauthorized user was able to access information provided to AMCA by various entities and that Quest is "working with forensic experts to investigate the matter."

American Medical Collection Agency (AMCA), a billing collections service provider, has informed Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest. AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter. AMCA first notified Quest and Optum360 on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results. AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA. Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA. Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law. We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more.

AMCA also sent an official statement regarding the security breach: