A pointillist image of an unlocked lock, with each point being a person (Image: Shutterstock)

An estimated 11.9 million patients’ personal and medical information may have been exposed in a data breach of a collections agency that works with Quest Diagnostics Inc. and a unit of the insurer UnitedHealth Group Inc.

Quest said in a securities filing that it had been informed of the breach by American Medical Collection Agency, an Elmsford, New York-based collections firm. For eight months, an unauthorized user had access to personal information including credit card numbers and bank accounts, medical information, and personal information such as Social Security numbers.

(Related: HHS Slashes Maximum Annual HIPAA Breach Penalties)

Quest, which operates medical testing centers around the U.S., said it has suspended sending collections requests to AMCA and is working with law enforcement and with UnitedHealth on the effects of the breach. Quest said it was informed of the incident on May 14.

Medical records are a frequent target of hackers. Along with financial information, they often contain personal health information as well as identifying data like social security numbers that can provide a richer tapestry of information for identity theft.

Quest said it hadn’t been able to verify information about the hack shared with it by AMCA. It wasn’t immediately clear if other health care companies had been affected.

In a statement, American Medical Collection Agency said that it’s investigating the incident. It said it has taken down its web payments page, moved its online payments portal services to a third-party vendor, and retained security experts. UnitedHealth said that computer systems at its Optum360 unit were not impacted by the incident.

Shares of Quest closed up less than 1% to $96.16 in New York.

— Read Some Consumers Would Still Let Life Insurers Track Them With Smartphoneson ThinkAdvisor.

— Connect with ThinkAdvisor Life/Health on LinkedIn and Twitter.

Copyright 2019 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.