Quest Diagnostics, the popular US clinical laboratory, has suffered an enormous data breach. As a result, the information of 11.9 million patients has been exposed.
According to the official statement, the American Medical Collection Agency (AMCA), a billing collections service provider, informed Quest Diagnostics that “an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest.”
It should be noted that AMCA provides billing collections services to Optum360, which in turn is a Quest contractor. Quest and Optum360 are working with forensic experts to investigate the matter, the statement added.
Quest Diagnostics Data Breach Explained
Apparently, the unknown attacker took advantage of the Quest contractor to obtain access to the highly sensitive patient data. Compromised data includes social security numbers, medical and financial details. What is known is that laboratory test results are not compromised.
The type of financial data potentially at risk is not revealed yet, and it’s not known if credit card numbers and security codes were exposed. Quest also hasn’t specified if encryption was in place to protect the data of its patients.
How did the data breach happen? According to Quest’s explanation, hackers had access to AMCA’s web payment page which likely means that a credit card skimmer was used.
Considering the nature of the attack, a group such as Magecart may be behind the data breach. Magecart’s portfolio of successful formjacking attacks includes organizations such as British Airways and Ticketmaster, to name a few.A formjacking attack involves the injection of malicious code into the targeted website, allowing attackers to grab customers’ credit card details.
As for Quest’s data breach, the laboratory “is taking this matter very seriously” and since the knowledge of the AMCA data security incident, they have suspended sending collection requests to AMCA.