Quest Diagnostics, the medical testing company, said a data breach has affected about 11.9 million patients, after an “unauthorized user” gained access to financial data, Social Security numbers and medical data, but not laboratory test results.
A collections agency called American Medical Collection Agency notified Quest about a potential intrusion on May 14 and then reported on the scope of the breach on Friday.
AMCA provides services to Optum360, a Quest billing contractor. Quest said it does not have details about which patients were affected and what data was stolen.
Quest “has not been able to verify the accuracy of the information received from AMCA,” Quest said in a statement posted on its website Monday. Quest has suspended collections requests through the agency, it said.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,’’ the company said. It indicated that plans are in the works to begin notifying individual patients but did not give a timeline.
There was no indication in the company’s statements that the intruders had hacked into other systems besides AMCA’s.
AMCA offered few details of the breach. It said in prepared statement that it learned its security had been penetrated from a consultant working for credit-card companies.
It moved its payment portal to a third-party vendor and took other steps to beef up security, the agency said.
Optum360, which is part of UnitedHealth Group, said its records were not affected.
“We are actively working with Quest and AMCA to understand this issue and ensure appropriate actions are being taken,” the company said.
While this is a large breach, it does not rank among the biggest. The Equifax hack of 2017 affected the data of 145.5 million individuals. The Yahoo attack disclosed in 2016 affected 1 billion Yahoo customers.
The largest hack of medical data came in 2014, when the servers of health insurance company Anthem were compromised and records of 79 million people were stolen. This month, the Department of Justice charged two Chinese nationals in that attack. Anthem had paid a $115 million settlement to victims of the breach.
A data security consultant said hackers are not interested in health care information, which is not easily monetized, but are hunting down firms that handle financial information for bank account and Social Security numbers.
“Hackers target financial companies, like this billing collection company, as they often store sensitive financial information that can be turned into immediate gains,’’ said Dr. Giovanni Vigna, co-founder of network security provider Lastline. “This kind of information is much more lucrative than personal health information, that, at the moment, is not readily marketable by criminals.’’