12 Million Medical Bills Stolen by Data Thieves: What to Do

Nearly 12 million U.S. residents may have had their credit cards, Social Security numbers compromised, thanks to a data breach at a medical blll-collection agency. It's likely that names, addresses and dates of birth were also part of the breach.

Credit: everydayplus/Shutterstock

(Image credit: everydayplus/Shutterstock)

The breach was officially disclosed in a Securities and Exchange Commission filing today (June 3) by New Jersey-based Quest Diagnostics, one of the largest clinical lab-testing providers in the world.

But Quest didn't suffer the breach itself. Rather, the breached company was American Medical Collection Agency (AMCA), a bill collector that had been subcontracted by Optum360, a company that handles Quest's billing. AMCA notified Quest of the breach on May 14, according to the SEC filing, and stated that the attackers had access to AMCA's systems from Aug. 1, 2018 to March 30, 2019 -- eight months in total.

"AMCA believes that the number of Quest Diagnostics patients whose information was contained on AMCA's affected system was approximately 11.9 million people," Quest said in the SEC filing. "The information on AMCA's affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)."

The results of the lab tests themselves were not part of the compromised data.

What to do

If you've had any kind of medical procedure in the past year or two that involved any kind of lab test -- which includes routine physicals and drug tests -- it's likely that Quest Diagnostics handled at least some of the lab work.

You should check your credit card statements for any discrepancies and use annualcreditreport.com to get a free credit report from at least one of the three big credit-reporting agencies (Equifax, Experian and TransUnion).

If and when you do get notified that your personal data was part of this breach, you should consider signing up with an identity-protection service if such services are not offered to you by one of the affected companies.

MORE: What to Do After a Data Breach: A Step-by-Step Guide

Unfortunately, we do not have information yet about who exactly is affected, and we do not believe that any of the victims of this compromise have yet been notified. Quest is likely not AMCA's only client, and we expect the numbers of affected individuals to rise above 12 million as more companies report that their data was also part of the breach.

"Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law," Quest Diagnostics said in a statement on its website, adding that it had suspended doing business with AMCA.

Not everyone who's had a lab test is part of this

On the bright side, even if Quest handled your lab tests, you're probably not affected. Quest's own website boasts that it "touches the lives of 30 percent of American adults each year," which comes to about 75 million adults, plus an unknown number of persons under 18. You can presume that only a fraction of Quest's full patient list was passed on to AMCA, which seems to specialize in collecting payment from patients who haven't paid on time.

But because AMCA needs to be able to reach those late payers, we can assume that the compromised information probably also contains full names, mailing addresses and contact information such as telephone numbers and email addresses. DataBreaches.net said the data might also include dates of birth, according to information it received when it first got wind of the breach in mid-May.

Needless to say, this would be very valuable and dangerous information to possess, and if an identity thief or other type of online crook got his or her hands on it, they'd be pretty happy.

Why this could be devastating to those affected

A name, address, date of birth and Social Security number are all it takes to completely steal a U.S. resident's identity. Combine those with telephone numbers, email addresses, bank-account numbers and credit-card numbers, and you've got a perfect story of opportunity for crooks, phishers and scammers.

Bad guys could contact affected people pretending to be the IRS, banks or even the Social Security Administration and present a convincing case that they scammers actually represented the purported organization. The credit card numbers are the least risky part of this brew, since U.S. card issuers quickly respond to suspicious activity, and card holders are rarely liable for stolen funds.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.