DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update on American Medical Collection Agency breach: Almost 12 million Quest Diagnostic patients impacted

Posted on June 3, 2019 by Dissent

On May 10, DataBreaches.net broke the story of a medical collection agency breach involving American Medical Collection Agency.  The breach had been discovered by Gemini Advisory, who informed this site that they had found approximately 200,000 patients’ payment card info for sale on a well-known marketplace. The cards had apparently been compromised between September, 2018 and the beginning of March, 2019.

When AMCA did not respond to Gemini’s notification attempt, Gemini Advisory reported their findings to law enforcement, who then contacted AMCA.

AMCA did not subsequently respond to DataBreaches.net’s questions about the incident, although by May 10, it was clear that AMCA knew and had been addressing the problem (as screenshots this site published suggested).

Today, ABC news reports that AMCA has reportedly informed Quest Diagnostics that 11.9 million of their patients may be impacted — and that’s just one company. ABC reports:

AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.

Quest reports that AMCA has not yet provided them or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected.

Quest also said in a statement that they have “not been able to verify the accuracy of the information received from AMCA.”

I expect we’ll see a lot more coverage on this breach now that some larger numbers are being reported. The following is Quest Diagnostics’ statement from their web site. I still don’t see any mention of HIPAA, but it would seem to be implicated in this incident.


SECAUCUS, N.J., June 03, 2019 — American Medical Collection Agency (AMCA), a billing collections service provider, has informed Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest. AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter.

AMCA first notified Quest and Optum360 on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. On May 31, 2019, AMCA notified Quest and Optum360 that the data on AMCA’s affected system included information regarding approximately 11.9 million Quest patients. AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.

AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.

Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.

Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law.

We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more.


 

Update, June 4:   Gemini Advisory has issued a statement about their findings and role on their blog.

Related posts:

  • South Texas Dermatopathology and Laboratory of Dermatopathology ADX Notify Their Patients of AMCA Breach (Update4)
  • Penobscot Community Health Center notifying 13,000 patients about collection agency breach
  • American Medical Collection Agency breach impacted 200,000 patients – Gemini Advisory
  • Another AMCA victim starts notifying patients
Category: HackHealth DataOf NoteU.S.

Post navigation

← Health Quest phishing incident in 2018 results in notification to patients, but why such a long delay?
Report: Theta360 Leak Potentially Exposed Millions of Users’ Public and Private Photographs →

1 thought on “Update on American Medical Collection Agency breach: Almost 12 million Quest Diagnostic patients impacted”

  1. Janet Handley says:
    June 10, 2019 at 3:30 pm

    Mine was stolen on May 7th. Someone used my debit card number at a Target in New York and I live in Alabama. They got every cent I had in the bank and my line of credit. I am on a fixed income and now I have to call my creditors and the credit agencies to tell them. I was on the phone for 59 minutes with Equifax trying to tell them what happened. I have had to call others also. Something needs to be done to catch and to put these people who do this as they say under the jail. They need to get a real job and not be a thief of others who have worked hard all their lives and done without to have something. Just saying…

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.