Quest Says Millions of Patient Records Exposed in Data Hack

(Bloomberg) -- An estimated 11.9 million patients’ personal and medical information may have been exposed in a data breach of a collections agency that works with Quest Diagnostics Inc. and a unit of the insurer UnitedHealth Group Inc.

Quest said in a securities filing that it had been informed of the breach by American Medical Collection Agency, an Elmsford, New York-based collections firm. For eight months, an unauthorized user had access to personal information including credit card numbers and bank accounts, medical information, and personal information such as Social Security numbers.

Quest, which operates medical testing centers around the U.S., said it has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth on the effects of the breach. Quest said it was informed of the incident on May 14.

Medical records are a frequent target of hackers. Along with financial information, they often contain personal health information as well as identifying data like social security numbers that can provide a richer tapestry of information for identity theft.

Quest said it hadn’t been able to verify information about the hack shared with it by AMCA. It wasn’t immediately clear if other health-care companies had been affected.

In a statement, American Medical Collection Agency said that it’s investigating the incident. It said it has taken down its web payments page, moved its online payments portal services to a third-party vendor, and retained security experts. UnitedHealth said that computer systems at its Optum360 unit were not impacted by the incident.

Shares of Quest closed up less than 1% to $96.16 in New York.

To contact the reporter on this story: Robert Langreth in New York at rlangreth@bloomberg.net

To contact the editors responsible for this story: Drew Armstrong at darmstrong17@bloomberg.net, Timothy Annett

©2019 Bloomberg L.P.