SECAUCUS, N.J. and EDEN PRAIRIE, Minn. (July 9, 2019) – As recently reported in numerous media outlets, on May 14, 2019, Retrieval-Masters Creditors Bureau, Inc./American Medical Collection Agency (AMCA), informed Quest Diagnostics and Optum360 about a data incident involving AMCA’s system containing personal information of some Quest patients whose accounts were sent to AMCA for debt collection. Optum360 provides revenue management services for Quest, and AMCA provided debt collection services for Optum360. Neither Quest’s nor Optum360’s information technology systems or databases were involved in the AMCA incident. Quest was among several laboratories and other entities whose customers were affected by the AMCA data security incident.
AMCA subsequently informed Quest and Optum360 that it had learned, after an external forensics review, that an unauthorized user had access to AMCA’s system between August 1, 2018 and March 30, 2019. The incident affected AMCA’s system, which contained personal information concerning Quest accounts that were sent to AMCA for debt collection. On June 7, 2019, AMCA provided to Optum360 data regarding an additional population of Quest patients whose information may have been included in the affected AMCA system but who had not been notified by AMCA.
Based on information provided by AMCA, the information contained on the affected AMCA system included: information used to identify and contact individuals (such as first, middle and last name, date of birth, Social Security Number, address, phone number); information related to providers and services (such as dates of service, name of lab, referring doctor, test names, internal patient ID number); and laboratory billing- and payment-related information (such as credit card information, bank account number, insurance/payer information and identification number, diagnosis codes, internal account number). Test results were not included.
In June 2019, AMCA mailed notices to certain individuals whose information was contained on the affected AMCA system, including some individuals who are associated with services Quest provided. On June 17, 2019, AMCA filed for bankruptcy. Quest and Optum360 understand that AMCA now intends to wind down and liquidate its business. Starting this week, Quest and Optum360 are mailing notices to additional individuals whose information may have been affected by the incident at AMCA and who were not included in a June 2019 mailing by AMCA. As further described in those two sets of notices, complimentary credit monitoring is being offered to those recipients whose Social Security Numbers, credit card information, or bank account numbers may have been involved.
As a precaution, individuals whose information was contained on the affected AMCA system are advised to regularly monitor their credit reports and account information, including documentation concerning their health care, to check for any unfamiliar activity. If any suspicious activity is observed, individuals should immediately contact the financial institution or company at which the account is maintained.
In response to the incident, AMCA stated it took down its web payments page and migrated it to a third-party vendor. AMCA also stated that it conducted an external forensic review, retained a computer security consulting firm to increase the security of AMCA’s systems, and engaged with law enforcement. Since learning of this incident, Quest and Optum360 have been working to determine what happened and what information was potentially affected as a result, and Optum360 retained a forensic expert to investigate the incident. Quest and Optum360 have ceased using AMCA for collection services.
A dedicated hotline has been established for Quest customers who may have questions or who would like additional information about the AMCA data security incident, including those who received a June 2019 letter from AMCA. The hotline can be reached toll-free at 1-800-491-5304 Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time. Additional information is available at https://amcaincident.kroll.com.