Big quote: "Between August 1, 2018 and March 30, 2019 an unauthorized user had access to AMCA’s system that contained information that AMCA had received from various entities, including Quest Diagnostics, and information that AMCA collected itself." — Quest Diagnostics, SEC Form 8-K

Close to 20 million Quest Diagnostics and LabCorp patient records were exposed in a breach of a third-party company that they both use.

According to a Securities and Exchange Commission (SEC) filing on Monday, Quest reported that 11.9 million of its records were compromised by a security breach of its collections provider American Medical Collection Agency (AMCA). Then on Tuesday, LabCorp said that 7.7 million of its records were also exposed to the same AMCA intrusion.

The attack targeted the AMCA’s website and skimmed personal information that included patient names, birth dates, addresses, phone numbers, dates of service, providers, and account balance. Additionally, LabCorp confirmed that nearly 200,000 patients also had their credit card or bank information stolen.

Medical data, including history and lab results, were not compromised.

According to Quest’s SEC filing, the AMCA’s systems were breached on August 1, 2018. The vulnerability was not discovered until March 30 of this year.

There is no indication as to who was behind the breach, but the methods used are similar to those seen last year against big companies including British Airways, Newegg, and Ticketmaster. The group behind those intrusions, known as Magecart, used malicious Javascript injected into the victim websites to siphon off data and send it to the attackers through a secondary domain.

It is unclear if AMCA was only used for collections of accounts that were in default or if it handled billing in general. If you are a Quest Diagnostics or LabCorp customer, you might want to keep your eye on your accounts for any suspicious activity.

Image credit: Ken Wolter /