11.9 Million Patient Medical Records May Have Been Exposed in Latest Data Breach

Global medical testing corporation Quest Diagnostics claims to serve 1 in every 3 adult Americans each year. Now the company has revealed that as many as 11.9 million patient records may have been exposed in a data breach reported by their billing collections agency, American Medical Collection Agency (AMCA).

AMCA notified Quest on May 14 that an unauthorized user gained access to AMCA’s system, which included millions of patient medical records from Quest and their third-party contractor, Optum360.

What data was exposed in the breach

According to a June 3 statement from Quest, the unauthorized AMCA user had access to sensitive personal data, including credit card numbers, bank accounts, Social Security numbers and medical information, over a period of eight months. Quest assured patients that laboratory test results were not revealed in the breach.

While Quest said it had not been able to verify AMCA’s information about the hack, it has stopped sending collection requests to AMCA and is working with forensics experts to investigate the matter. It isn’t yet clear whether the hacker has used or disseminated the information accessed in the breach.

AMCA is also reportedly conducting its own investigation. The company stated that it has taken down its online payments page, outsourced its payment portal to a third-party vendor and hired security experts to help. AMCA has not yet said whether other healthcare companies have been affected by this breach.

Why hackers target medical companies

Healthcare service providers and any third parties that work with them are an increasingly common target for hackers. A 2019 survey by Healthcare Information and Management Systems Society found that about 82% of hospital IT leaders reported a “significant security incident” in the last 12 months.

Why? Medical records contain a trove of personal information. In addition to names, addresses and financial information, healthcare facilities also keep sensitive medical records, insurance information and Social Security numbers. The richer and more detailed the data a criminal has, the easier it is for them to commit identity theft.

Given how frequently patient information is shared among hospitals, doctors’ offices, insurance companies, billing companies and other vendors, there are many potential access points for would-be hackers to breach.

Healthcare companies are far from the only entities that cybercriminals target, though. From popular chat apps to entire city governments, any organization may become the next victim of a data breach. If you’re concerned that your personal data may have been illegally accessed by an unauthorized party in this or any other breach, you can check here to see if there is a record of your sensitive information being trafficked on the internet.