Quest Diagnostics Hit With Data Breach – 12 Million Patients Exposed

Quest Diagnostics is the latest victim of a data breach. As a result, 12 million patients have been exposed to hackers.

June is proving to be a pretty bad month for personal information getting exposed. Earlier this month, we learned of the First American data leak which exposed 885 million records. This was followed up by Marriott’s parent company suffering a breach. That saw 85.4GB of security data exposed.

Now, there is another data breach to report. This time, it affects medical giant Quest Diagnostics. According to ZDNet, about 12 million patients have been exposed. From the report:

On Monday, the US clinical laboratory said that American Medical Collection Agency (AMCA), a billing collections provider that works with Quest, informed the company that an unauthorized user had managed to obtain access to AMCA systems.

Through the Quest contractor, the unknown individual was able to access — and potentially steal — Quest patient data including Social Security numbers, medical information, and financial data.

Quest has not revealed what forms of financial data have been exposed, such as whether card numbers or security codes are included, or whether or not encryption was in place to protect this information.

Quest says that unauthorized activity took place on “AMCA’s web payment page,” which may suggest a card skimmer was in play. (These kinds of attacks are the specialization of Magecart, a group which has compromised British Airways, Ticketmaster, and other major brands in the past.)

Laboratory test results are not believed to have been compromised.

What is interesting is that Quest is not saying whether or not the information compromised is encrypted. Normally, such information is probably the easiest to disclose. This is because if it is encrypted, that actually lends some assurance to those affected. This is because such information, at minimum, would then require time to crack in the first place. That gives potential victims a head start to changing their personal information. The fact that this isn’t disclosed is a bit unnerving.

In any event, this incident is showing that June is becoming a rather active month for this sort of thing. While not yet on the scale of last month, it’s certainly holding it’s own on the bad security news front.

Drew Wilson on Twitter: @icecube85 and Facebook.