Quest Diagnostics Reports 11.9 Million Patients’ Payment Information Hacked in Massive Data Breach
Quest Diagnostics reported to the Security and Exchange Commission (SEC) that a third-party vendor, American Medical Collection Agency, was breached. Hackers stole the payment information, including credit cards, as well as personal data from 11.9 Quest Diagnostics patients. The data breach occurred between August 1, 2018 and March 30, 2019.
Quest Diagnostics was notified by American Medical Collection Agency on May 14, 2019 about the cyber attack. The collection agency’s web payment system was hacked. The data from almost twelve million Quest Diagnostics customers was part of the hack. According to the SEC filing, the information hacked from American Medical’s system included credit card numbers, bank account information, health savings plans, and other personal information including Social Security Numbers. Quest Diagnostics lab results were not part of the hacked data because Quest does not share that information with collection agencies.
Hacked Credit Cards Found on the Dark Web
Cyber security researchers, Gemini Advisory, found some of the hacked credit card numbers for sale on the deep web. Hacked financial accounts include medical accounts like Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs), Flexible Spending Accounts (FSAs), and Medicare Medical Savings Accounts (MSAs).
Deep Web Marketplaces
The deep web is a part of the internet that is not visible or accessible using common web browsers like Internet Explorer, Firefox, Chrome, or Safari. Anonymous web browser like Tor Browser and Brave browser are used to access it instead. The deep web is commonly referred to as the dark web or darknet which are parts of the deep web. The deep web is where hackers and other criminals to carry out illegal activities such as selling stolen credit card numbers and hacking tools like malware. The deep web is also an online community to sell illegal drugs and guns or arrange for illegal services.
The US Central Intelligence Agency recently established an onion site on the dark web in order to allow for anonymous communication and to have a presence where some of the cybercrime they are battling is occurring.
What Is Quest Diagnostics?
Quest Diagnostics Incorporated is a Fortune 500 clinical laboratory company in Secaucus, NJ. In 1976, the company was founded as Metropolitan Pathology Laboratory, Inc before becoming an independent in 1996. Quest Diagnostics operates in the United States, United Kingdom, Mexico, and Brazil.
What is American Medical Collection Agency?
American Medical Collection Agency is a medical billing collections vendor based in Elmsford, NY and founded in 1977. The company’s website states that it manages over one billion US dollars of collection activity. American Medical handles collections for laboratories, hospitals, physician groups, and medical providers.
Quest Diagnostics Data Breach History
Quest Diagnostics was hacked in November 2016 in a much smaller data breach. The health records of about 34,000 patients were compromised. Hackers breached MyQuest, the company’s patient portal, taking patient information including name, birthdate, lab results, and phone numbers. No financial information or credit cards were hacked in the 2016 data breach. In an unrelated incident, in December 2018, hackers breached the US Government’s Healthcare.gov and compromised the data of 75,000 health insurance marketplace users.
Quest Diagnostics Hack – What Should I Do
Gemini Advisory found about 200,000 hacked credit cards for sale on the deep web. Hackers sometimes release and sell hacked data in stages so more credit cards can come up for sale later on. Quest Diagnostics stopped sending new accounts to American Medical Collection Agency for servicing and hired third-party cyber security experts to investigate.
Neither Quest Diagnostics nor American Medical Collection Agency has notified patients who were hacked.
If you were a Quest Diagnostics patient, you may want to:
- Check your credit score and order a credit report to find any new accounts that have been opened in your name. Order reports from all three credit bureaus – Equifax, Experian, and TransUnion. Consumers are entitled to one free credit report from each service every year.
- Place a fraud alert on your credit files. A fraud alert indicates that you (may) have been a victim of identity theft. A fraud alert tells credit issuers and banks that they should do more to verify your identity before opening new accounts
- Freeze your credit to stop anyone from opening a new bank or credit account in your name. A credit freeze does not prevent changes to existing credit accounts like increasing your available credit
- Monitor credit cards and bank accounts closely by checking balances and setting up fraud alerts
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers