Quest Diagnostics, one of the leading medical laboratories and blood testing companies in the United States, has been affected by a data breach at one of its vendors. That breach has resulted in the exposure and potential theft of almost 12 million individuals’ personal, medical, and financial information.

According to a recent U.S. Securities and Exchange Commission (SEC) filing, Quest Diagnostics was notified of a data breach at the billings collection firm American Medical Collection Agency (AMCA) in May. A hacker had gained access to its website payment system for 7 months between August 1, 2018 and March 30, 2019. During that time, the attacker had access to a wide range of highly sensitive information including names, personal information, dates of birth, Social Security numbers, bank account numbers, credit/debit card numbers, and medical information. Quest Diagnostics has confirmed that no lab test results were compromised.

Quest Diagnostics was informed by AMCA that an estimated 11.9 million individuals have been impacted by the breach and that the incident is still under investigation. Computer forensics experts are assisting with the investigation and are attempting to determine the nature and scope of the breach. Quest Diagnostics has not yet been able to verify the accuracy of the information provided by AMCA and has not received details of the individuals affected by the breach at this stage.

AMCA and its billings collection provider, Optum360, were notified about the breach on May 14, 2019. Quest Diagnostics has stopping sending collection requests to AMCA, has sent notifications to all affected health plans, and has been working closely with Optum360, AMCA, and third-party security experts to investigate the breach and determine which patients have been affected and what information has been compromised.

When further information is known about the breach, federal and state regulators will be informed and affected individuals will be mailed breach notification letters and instructions on the steps they can take to reduce the potential for harm.

Upon discovery of the breach AMCA conducted an internal investigation and shut down its web payments page. Its web payment system was migrated to a third-party vendor and steps are being taken to improve the security of its systems.

Quest Diagnostics is just one of the companies that uses AMCA’s services and whose data was accessible through the compromised web portal. It is currently unclear if any other healthcare providers have been affected by the breach.

As it stands, this is the largest healthcare data breach of 2019 by some distance and is several orders of magnitude larger than the 1.56 million record breach at the healthcare clearinghouse Inmediata Health Group, Corp., that was announced in early May.

In fact, this is the second largest healthcare data breach ever to be reported in the United States behind Anthem’s 78.8 million record data breach in February 2015.

What is not yet known is how the hackers gained access to AMCA’s web payments page and whether the breach was due to cybersecurity failures. That will be something the Department of Health and Human Services’ Office for Civil Rights will be keen to determine.