AMCA Data Security Incident

Information and FAQs for Patients

The following is intended as a reference for questions about the AMCA Data Security Incident. (June 7, 2019; 7:00 p.m. EST)

 

Click here to see the letter to our patients.

 

SUMMARY OF THE INCIDENT 
 

  • American Medical Collection Agency (AMCA), a collection agency, had a data security incident that impacted AMCA’s systems.
  • Optum360®, a contractor of Quest, used AMCA as one of its collection agencies.
  • AMCA also handled collections for a number of other clinical laboratories and healthcare providers, and the data security incident has impacted all of AMCA’s customers.
  • With respect to Quest, only those Quest patients whose accounts were sent to AMCA for debt collection may have had information on AMCA’s affected system.
  • Credit cards collected at a Quest patient service center were not affected. Quest has not shared, and will not share, your credit card or bank account information with AMCA.  
  • Quest’s information systems, including MyQuest™ were not affected.
  • Quest is working with AMCA and Optum360 to ensure that Quest patients are appropriately notified.
  • We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more. For general information, individuals can call 866-MYQUEST.

 

WHAT HAPPENED, WHO WAS IMPACTED


Q1. What happened?
Q2. When and how did Quest first discover there was a breach of AMCA’s affected system?
Q3. How many Quest patients had information in AMCA’s affected system?
Q4. Did AMCA’s affected system contain data from all Quest patients?
Q5. Is it safe for me to use my credit card at a Patient Service Center?
Q6. Is there a phone number available for people who have questions?
Q7. How can I find out if my information, specifically, was in AMCA’s affected system?
Q8. Were Quest Diagnostics information technology systems impacted? Quest interfaces?

INFORMATION INCLUDED IN AMCA'S AFFECTED SYSTEM


Q1. What data may have been contained in AMCA’s affected system?
Q2. Would the hacker have access to laboratory test results?
Q3. Is there information contained in AMCA’s affected system from entities other than Quest?
Q4. If my financial data was part of the AMCA data security incident, will credit monitoring be offered?
 

INVESTIGATION AND RESPONSE


Q1. When will the investigation be completed?
Q2. Has law enforcement been notified?
Q3. What steps has Quest taken in response to this incident?
Q4. I saw the news on LabCorp and BioReference.  Is this the same AMCA incident? Why are the numbers different?

 

WHAT HAPPENED, WHO WAS IMPACTED


Q1. What happened?
A1. American Medical Collection Agency (AMCA), a collection agency, has disclosed that an unauthorized user had access to AMCA’s system. The affected system contained personal information AMCA received from various entities, including Quest Diagnostics, other clinical laboratories and healthcare providers, as well as information AMCA collected itself. AMCA is a collection agency used by Optum360®, a Quest contractor, and other healthcare companies.

Back to top

Q2. When and how did Quest first discover there was a breach of AMCA’s affected system?
A2. Quest and Optum360 received notice from AMCA on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page. The letter Quest and Optum360 received did not provide details regarding the incident or what data may have been on AMCA’s affected system. On May 31, 2019, AMCA informed Quest and Optum360 that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people. Quest and Optum360 have not yet been able to verify the accuracy of the information received from AMCA.

Back to top

Q3. How many Quest patients had information in AMCA’s affected system?
A3. AMCA informed Quest and Optum360 on May 31, 2019 that the number of Quest Diagnostics patients whose information was contained on AMCA’s affected system was approximately 11.9 million people. The only Quest customers whose information was contained on AMCA’s affected system are those whose accounts were sent to AMCA for collections.

Back to top

Q4. Did AMCA’s affected system contain data from all Quest patients?
A4. No. It is important to remember that only those Quest patients whose accounts were sent to AMCA for debt collection may have had information on AMCA’s affected system. Quest systems were not affected.

Back to top

Q5. Is it safe for me to use my credit card at a Patient Service Center?
A5. Yes. Quest does not provide credit card information to AMCA.

Back to top

Q6. Is there a phone number available for people who have questions?
A6. 1.866.MYQUEST (1.866.697.8378).

Back to top

Q7. How can I find out if my information, specifically, was in AMCA’s affected system?
A7. We have been advised by AMCA that if your social security number or financial information was involved in the incident, you will be notified by letter from AMCA and offered 24 months of complimentary credit monitoring and identity theft mitigation services. In addition, we are working to ensure that affected Quest patients receive notice of the AMCA incident consistent with state and federal law.

Back to top

Q8. Were Quest Diagnostics information technology systems impacted?
A8. No. The AMCA data security incident did not impact Quest’s systems, including MyQuest™. The AMCA data security incident was the result of unauthorized access to the system of AMCA, a third-party collection agency.

Back to top

 

INFORMATION INCLUDED IN AMCA'S AFFECTED SYSTEM


Q1: What data may have been contained in AMCA’s affected system?
A1: AMCA has informed us that the Quest-related information contained in AMCA’s affected system included certain financial information (e.g. credit card number, bank information), social security numbers, and medical information, but not laboratory test results. Certain medical information on AMCA’s affected system was provided by Quest to help patients understand what they were being charged for, and to allow patients to submit an insurance claim where appropriate.  Other information, including credit card and bank account information, was collected by AMCA and was not provided by Quest. Quest has not shared, and will not sure your credit card or bank information with AMCA.

Back to top

Q2: Would the hacker have access to laboratory test results?
A2: No. Quest laboratory test results were not included in AMCA’s affected system, as laboratory test results are not shared with collection agencies.

Back to top

Q3. Is there information contained in AMCA’s affected system from entities other than Quest?
A3. Yes. AMCA’s affected system contained information from Quest as well as from other health care providers, including other clinical laboratories. All of AMCA’s customers were impacted.

Back to top

Q4. If my financial data was part of the AMCA data security incident, will credit monitoring be offered?
A4. We have been advised by AMCA that individuals whose Social Security numbers or financial information (e.g., credit card numbers, bank information) was involved, will be offered 24 months of complimentary credit monitoring and identity theft mitigation services.

Back to top

 

INVESTIGATION AND RESPONSE


Q1. When will the investigation be completed?
A1. At this point, computer forensic experts are conducting an investigation to determine who was impacted and what information may have been accessed on AMCA’s system. We do not know when this investigation relating to AMCA’s affected system will be completed.

Back to top


Q2. Has law enforcement been notified?
A2. AMCA has disclosed to us that it has been in contact with law enforcement regarding the incident.

Back to top

Q3. What steps has Quest taken in response to this incident?
A3. In response to this incident, Quest Diagnostics:

  • Has suspended sending collection requests to AMCA;
  • Is notifying affected health plans and patients and will ensure, with Optum360, that notification is provided to regulators and others as required by federal and state law; and
  • Is working with Optum360, AMCA and outside security experts to investigate the AMCA data security incident and its potential impact on Quest Diagnostics and its patients.


Back to top


Q4. I saw the news on LabCorp and BioReference.  Is this the same AMCA incident? Why are the numbers different?
A4. Yes. We can’t speak for LabCorp, BioReference or AMCA on why the numbers are different.

Back to top