In another major data breach affecting the healthcare industry, Quest Diagnostics has disclosed that the personal information of around 11.9 million of its patients may have been compromised.
The lab testing giant said Monday in a regulatory filing that an “unauthorized user” gained access to the web payment system of American Medical Collection Agency (AMCA), which provides Quest with billing collection services, between Aug. 1, 2018 and March 30, 2019.
The system contained the sensitive data of about 11.9 million Quest patients, including credit card numbers, bank account information, medical information and Social Security numbers, Quest said. Lab test results, however, are not provided to AMCA.
Quest “will continue to work diligently … to investigate the AMCA data security incident and its potential impact on Quest Diagnostics and its patients,” the company said in the filing.
As Gizmodo reports, “Major data breaches are widely believed by security experts to be growing in both number and severity, with systems tied to the health care industry one of the prime targets.
“Hackers target financial companies, like this billing collection company, as they often store sensitive financial information that can be turned into immediate gains,” Giovanni Vigna, co-founder of security firm Lastline, told the Washington Post. “This kind of information is much more lucrative than personal health information that, at the moment, is not readily marketable by criminals.”
According to the U.S. Department of Health and Human Services, there were 351 data breaches of 500 or more healthcare records in 2018, resulting in a total exposure of about 13 million records. The largest healthcare breach of the year compromised the data of more than 2.65 million Atrium Health patients that had been provided to the company’s billing vendor.
AMCA said it was alerted to a possible breach by a security compliance firm that works with credit card companies and, after conducting an internal review, took down its web payments page.
“We remain committed to our system’s security, data privacy, and the protection of personal information,” the company added.