The data breach may have involved the collection of patients’ financial information, such as credit-card numbers and bank-account data, as well as medical information and personal details, the company said Monday.
The billing collections vendor, American Medical Collection Agency, notified the company of the breach on May 14, Quest said.
AMCA found an unauthorized user had obtained access to its system between August 2018 and March 2019. The breach gave the user access to information from Quest Diagnostics and other entities, as well as information AMCA had collected itself.
AMCA said in a statement it conducted an internal review, took down its web payment platform, and hired third-party security experts to investigate the breach.
Quest said laboratory results weren’t affected by the breach.
A Quest spokeswoman said the company hasn’t received complete information about what is entailed in the data security incident, including which individuals could be affected.