Quest Diagnostics, one of the biggest blood testing providers in the country, warned Monday that nearly 12 million of its customers may have had personal, financial and medical information breached due to an issue with one of its vendors.
In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018, and March 30, 2019, that someone had unauthorized access to the systems of AMCA, a billing collections vendor.
"(The) information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)," Quest said in the filing.
While customers' broad medical information might have been compromised, Quest said AMCA did not have access to actual lab test results, and so therefore that data was not impacted.
Quest said it was told that as of May 31, information on roughly 11.9 million of its patients was stored on the affected AMCA system.
The company said it has not received "detailed or complete" information from AMCA about the breach yet.
"Quest Diagnostics takes this matter very seriously and is committed to the privacy and security of patients’ personal, medical and financial information," the company added in the filing.
In a statement later Monday, the firm representing the American Medical Collection System said it was investigating the "data incident."
"Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page," the statement said. "We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information."