Skip to content

Data Breach Hits Millions: Quest and AMCA in Question

Quest Diagnostics Inc. reported that approximately 11.9 million of its patients were compromised in a data breach, targeting financial information and other data, from August 1st of 2018 through March 30th of this year. The data breach specifically targeted collections firm American Medical Collection Agency (AMCA) and their online payment page. AMCA’s online payment page provides collection services to Optum360, which is a contractor for Quest Diagnostics. In a statement made by Quest, the data breach involved credit card numbers, bank account information, social security numbers, and medical information. However, it did not affect laboratory test results. A data-security firm has announced that approximately 200,000 payment card numbers are being sold on the dark web, stolen from a collections firm serving diagnostic laboratories. The data-security firm states that even more is expected to come up for sale.

What’s Being Sold

data breach of quest diagnostics and AMCA affect millions of patients

Gemini Advisory, LLC, a New York-based company that monitors the dark web to find clients’ stolen data, said that it first “identified a large number of compromised payment cards” on Feb. 28. About 15% of the records stolen also included important information such as dates of birth, social security numbers, addresses, and email addresses. According to Christopher Thomas, an intelligence production analyst at Gemini Advisory, all of the compromised financial data spotted on the dark web so far consist of payment cards, not bank account information.

“While 200,000 records have currently been posted for sale, it is common for cybercriminals to post compromised data to the Dark Web in installments, so the number of records may well increase.” -Christopher Thomas, Gemini Advisory.

SEE: New Debt Collector Rule for the Modern Age

Data Breach Will Get Worse

data breach of quest diagnostics and amca from medical collection agency

It’s important to note that Quest Diagnostics is not AMCA’s only client. LabCorp, another big diagnostics firm, said in a regulatory filing that it sent personal—and financial—data on 7.7 million consumers to AMCA.

“AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.” -LabCorp.

After finding the card numbers on the dark web, Gemini Advisory researchers concluded they came from something other than an online retailer. According to Thomas, “Since the records we observed contained information such as date of birth and Social Security number, we determined that the compromised records came from an online portal that requires more personally identifiable information than average online retailers.”

SEE: 5 Debt Collection Tips for Business Owners

AMCA in Question

AMCA data breach online payment system offline

According to Gemini Advisory, AMCA took its online payment portal offline from April 8th to May 2nd. Gemini Advisory also said it alerted AMCA about this breach, but received no response. Quest Diagnostics, meanwhile, said in a statement that “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data-security incident, including which information of which individuals may have been affected.”

When it comes to exactly how the breach happened, that hasn’t been revealed. However, in a statement, AMCA said that an “unauthorized user” accessed its system. The statement continues:

“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our Web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”

The collections firm also said it’s providing 24 months of credit monitoring to anyone who had either a social security number or credit card account compromised, even if their state doesn’t require it.

Southwest Recovery

Southwest Recovery Services is the most trusted collections agency in Dallas and Houston. Follow us for more information on collection agencies, collecting debt, and industry news. For information on how we can help you collect a debt, call our Dallas or Houston office today to get started.

Quest Diagnostics Inc. reported that approximately 11.9 million of its patients were compromised in a data breach, targeting financial information and other data, from August 1st of 2018 through March 30th of this year. The data breach specifically targeted collections firm American Medical Collection Agency (AMCA) and their online payment page. AMCA’s online payment page provides collection services to Optum360, which is a contractor for Quest Diagnostics. In a statement made by Quest, the data breach involved credit card numbers, bank account information, social security numbers, and medical information. However, it did not affect laboratory test results. A data-security firm has announced that approximately 200,000 payment card numbers are being sold on the dark web, stolen from a collections firm serving diagnostic laboratories. The data-security firm states that even more is expected to come up for sale.

What’s Being Sold

data breach of quest diagnostics and AMCA affect millions of patients

Gemini Advisory, LLC, a New York-based company that monitors the dark web to find clients’ stolen data, said that it first “identified a large number of compromised payment cards” on Feb. 28. About 15% of the records stolen also included important information such as dates of birth, social security numbers, addresses, and email addresses. According to Christopher Thomas, an intelligence production analyst at Gemini Advisory, all of the compromised financial data spotted on the dark web so far consist of payment cards, not bank account information.

“While 200,000 records have currently been posted for sale, it is common for cybercriminals to post compromised data to the Dark Web in installments, so the number of records may well increase.” -Christopher Thomas, Gemini Advisory.

SEENew Debt Collector Rule for the Modern Age

Data Breach Will Get Worse

data breach of quest diagnostics and amca from medical collection agency

It’s important to note that Quest Diagnostics is not AMCA’s only client. LabCorp, another big diagnostics firm, said in a regulatory filing that it sent personal—and financial—data on 7.7 million consumers to AMCA.

“AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific information about them.” -LabCorp.

After finding the card numbers on the dark web, Gemini Advisory researchers concluded they came from something other than an online retailer. According to Thomas, “Since the records we observed contained information such as date of birth and Social Security number, we determined that the compromised records came from an online portal that requires more personally identifiable information than average online retailers.”

SEE5 Debt Collection Tips for Business Owners

AMCA in Question

AMCA data breach online payment system offline

According to Gemini Advisory, AMCA took its online payment portal offline from April 8th to May 2nd. Gemini Advisory also said it alerted AMCA about this breach, but received no response. Quest Diagnostics, meanwhile, said in a statement that “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data-security incident, including which information of which individuals may have been affected.”

When it comes to exactly how the breach happened, that hasn’t been revealed. However, in a statement, AMCA said that an “unauthorized user” accessed its system. The statement continues:

“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our Web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”

The collections firm also said it’s providing 24 months of credit monitoring to anyone who had either a social security number or credit card account compromised, even if their state doesn’t require it.

Southwest Recovery

Southwest Recovery Services is the most trusted collection agency in Dallas and Houston. Follow us for more information on collection agencies, collecting debt, and industry news.

Recent Comments

    Have A Question?

    Get In Touch

    Southwest Recovery Services is a national collection agency with offices in Texas, Oklahoma, Missouri, Ohio, Florida and Georgia.

    Payment Processing

    • Online Payment Terms and Conditions

      Welcome to the Southwest Recovery Services LLC payment processing site. Please read and agree to the following online payment terms and conditions, website Terms of Service, and Refund Policy prior to agreeing and completing your online payment.

      *** NOTICE ***

      This is an attempt to collect a debt and any information obtained will be used for that purpose. This communication is from a debt collector. If you have any questions or would like to talk to a live Collections Specialist, please call us at (866) 558-3328 during standard business hours: Monday thru Friday 8am-6pm CST. You can also mail your payment directly to Southwest Recovery Services LLC, 16200 Addison Road Suite 260, AddisonTX 75001.

      Credit Card Transaction

      By submitting payment information through this Service you agree to the terms and conditions of this Agreement and any documents incorporated by reference. You further agree that this User Agreement forms a legally binding contract between you and Southwest Recovery Services Inc. and that this Agreement constitutes "a writing signed by You" under any applicable law or regulation. Any rights not expressly granted herein are reserved by Southwest Recovery Services Inc.. By clicking on the "I Agree" button and by clicking on the “click here to pay by credit card” button, you are accepting these terms and the stated fees for using this service.

      IMPORTANT:  Please make sure that you have correctly inputted your account number and creditor’s name in the payment form. This information can be found on your bill. For assistance, please contact us at (866) 558-3328. 

      This site provides a secure payment portal for making online payments. Please ensure that you are paying the correct party and that you have a valid account number received from us.

      If you do not know your account number, please do not make a payment through this web site at this time. Instead, please Contact Us to obtain your account number before returning to make the payment. Without the account number we cannot credit your account with the payment you make on this site, which would result in a significant delay in processing of your payment.

      • This is a web site of a collection agency.
      • This is an attempt to collect a debt.
      • Any information obtained will be used for that purpose.

      Question? Contact Us: info@swrecovery.com

    Make A Payment