Medical testing giant Quest Diagnostics has confirmed a third-party billing company has been hit by a data breach affecting 11.9 million patients.

The laboratory testing company revealed the data breach in a filing on Monday with the Securities and Exchange Commission.

According to the filing, the breach was a result of malicious activity on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest. The “unauthorized user” siphoned off credit card numbers, medical information and personal data from the site.

Laboratory test results were not among in the stolen data, Quest said.

The breach dated back to August 1, 2018 until March 30, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information” from the AMCA.

Quest said it has since stopped sending collection requests to the vendor while it investigates and has hired outside security experts to understand the damage.

AMCA spokesperson Jennifer Kain said in a statement, supplied through crisis communications firm Brunswick Group, that it was “investigating” the breach.

“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” said the spokesperson.

The company also said it informed law enforcement of the breach.

Several other companies have been hit in recent months by attacks on their websites. Highly targeted credit card skimming attacks hit Ticketmaster, British Airways, and consumer electronics giant Newegg in the past year, affecting millions of customers. The so-called Magecart group of hackers would break into vulnerable websites and install the malicious code to skim and send data back to the hacker-controlled servers.

It’s the second breach affecting Quest customers in three years. In 2016, the company said 34,000 patients had data stolen by hackers.

Updated with a statement from the AMCA.

Read more: