PHI of 11.9 Million Quest Diagnostics Patients Compromised in AMCA Data Breach

Quest Diagnostics, one of the largest medical laboratory chains in the United States, has announced that around 11.9 million of its patients have had their protected health information (PHI) compromised in a data breach at the billing collections firm American Medical Collection Agency (AMCA).

On May 14, 2019, Quest Diagnostics and its business associate Optum360 were notified about the breach and were told that approximately 11.9 million records had been compromised between August 1, 2018 and March 30, 2019. The records were stored in AMCA systems along with data from other entities and data that had been collected by AMCA.

AMCA has hired forensics experts to investigate the breach and determine whether PHI was accessed or copied during the time that the hacker had access to its systems, the exact types of PHI involved, and details of all individuals affected. Quest Diagnostics reported this week that while notification about the breach had been received, AMCA has yet to provide full information on the breach. It is currently unknown which patients have been affected and Quest Diagnostics has not been able to verify the accuracy of the information provided by AMCA.

AMCA informed Quest Diagnostics that the types of information that were likely compromised included personal information, Social Security numbers, financial information, and some medical information, but not lab test results. Quest Diagnostics is working with Optum360 and will be sending notification letters to all affected individuals when the full list of affected patients is received from AMCA.

While it has not yet been officially confirmed whether patient data was stolen by the hacker, data theft is probable. In May, security researchers at Gemini Advisory discovered a batch of around 200,000 credit card numbers were being offered for sale on a popular darknet marketplace. The card-not-present database combined credit card numbers with dates of birth and Social Security numbers and was tied to AMCA. The data appeared to have been collected during the same time period of the recently reported breach.

AMCA was notified about the sale of the database but did not respond to Gemini Advisory. Gemini Advisory then notified law enforcement about the breach, which made contact with AMCA.

Since AMCA works with entities other than Quest Diagnostics, the breach may turn out to be much larger. As it stands, it is already the second largest healthcare data breach ever to be reported in the United States and is potentially one of the most serious given the nature of data that has been compromised.