AMCA web payment page breached; Nearly 12 million Quest Diagnostics patients impacted

• The information that could be accessed during the breach includes Social Security numbers, bank account details, credit card numbers, as well as medical information.
• American Medical Collection Agency (AMCA) immediately responded by taking down the web payment page, as well as migrated its web payments portal services to a third-party vendor.

What happened?

American Medical Collection Agency (AMCA), billing service provider, had its web payment page breached, impacting nearly 11.9 million Quest Diagnostic patients’ personal and financial information.

The detailed picture

AMCA first notified Quest Diagnostics on May 14, 2019, that an unauthorized user gained access to its web payment page between August 22, 2018 and March 30, 2019, that contained information AMCA received from various entities, including Quest Diagnostics.

Upon receiving the notification, Quest Diagnostics reported the incident to the U.S. Securities and Exchange Commission.

• As a precautionary measure, Quest Diagnostics suspended sending collection requests to AMCA.
• The diagnostic services provider notified federal and state law enforcement authorities about the incident.
• It is further working closely with its contractors Optum360, AMCA, and third-party security experts to determine the scope and impact of the incident.

“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” Quest Diagnostics told BleepingComputer.

What information was involved?

The information that could be accessed during the breach includes Social Security numbers, bank account details, credit card numbers, as well as medical information. However, laboratory test results were not compromised.

The response from AMCA

• American Medical Collection Agency (AMCA) conducted an internal review and immediately responded by taking down the web payment page.
• The billing service provided also migrated its web payments portal services to a third-party vendor.
• It also retained a forensics firm and security experts to investigate the incident and advise steps to strengthen its systems’ security.

“We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information,” AMCA said in a statement.