Quest Diagnostics said the personal information of 11.9 million customers has potentially been compromised.
The clinical laboratory company said in a release that an “unauthorized user” gained access to a system used by American Medical Collection Agency (AMCA), a billing vendor hired by a Quest contractor called Optum360.
Quest said the information that may have been exposed included Social Security numbers and medical information, but not test results.
AMCA first notified Quest on May 14 of “potential unauthorized activity” on its payment page, Quest said. Two weeks later, according to Quest, AMCA then told Quest and Optum360 more about the breach, including the number of patients potentially affected and what information was accessed.
Quest (DGX) said it has suspended using AMCA and that it was using “forensic experts” to examine the issue.
It also said that AMCA has not provided “detailed or complete information” about the hack, including which customers might have been affected.
In a statement to CNN Business, Optum360 said its data systems “were not impacted” and said that security is “critically important to us, and we are actively working with Quest and AMCA to understand this issue and ensure appropriate actions are being taken.”
AMCA also released a statement saying it’s investigating the incident and remains “committed to our system’s security, data privacy, and the protection of personal information.”
“We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more,” Quest said in the release.
Quest’s stock was unchanged on the news. The company has roughly 2,200 locations across the United States, according to its website.