Medical testing giant Quest Diagnostics has confirmed a third-party billing company has been hit by a data breach affecting 11.9 million patients.
The laboratory testing company revealed the data breach in a filing on Monday with the Securities and Exchange Commission.
According to the filing, the breach was as a result of malicious code found on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest. The code skimmed information put into the website, like credit card numbers, as well as medical information and personal data from the site.
But laboratory tests were not included in the stolen data, Quest said.
The malicious skimming code dated back to August 1, 2018 until May 31, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information” from the AMCA.
Quest said it has since stopped sending collection requests to the vendor while it investigates, and has hired outside security experts to understand the damage.
It’s far from the first company to be hit by skimming malware. Highly targeted credit card skimming attacks hit Ticketmaster, British Airways, and consumer electronics giant Newegg in the past year, affecting millions of customers. The so-called Magecart group of hackers would break into vulnerable website and install the malicious code to skim and send data back to the hacker-controlled servers.
It’s not known who was behind Quest’s data breach,
A spokesperson for the American Medical Collection Agency did not immediately comment when contacted.
Read more:Security lapse exposed private Theta photos Flipboard hacks prompt password resets for millions of users After breach, Stack Overflow says some user data exposed An unsecured SMS spam operation doxxed its owners Samsung spilled SmartThings app source code and secret keys Security lapse exposed a Chinese smart city surveillance system A leaky database of SMS text messages exposed password resets and two-factor codes Chipotle customers are saying their accounts have been hacked