Nearly 7.7 million patients that used LabCorp’s testing services could have had their personal information exposed due to a security breach at American Medical Collection Agency.

The news comes a day after Quest Diagnostics, which also uses AMCA as a third party billings collector, revealed that about 12 million of its customers’ personal information had also been exposed.

In an SEC filing, Burlington, NC-based LabCorp noted that AMCA said the breach occurred between Aug. 1, 2018, and March 30, 2019.

“AMCA’s affected system included information provided by LabCorp,” the company said in a filing. “That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance). LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA. AMCA has advised LabCorp that Social Security Numbers and insurance identification information are not stored or maintained for LabCorp consumers.”

The company added that “AMCA has informed LabCorp that it is in the process of sending notices to approximately 200,000 LabCorp consumers whose credit card or bank account information may have been accessed. AMCA has not yet provided LabCorp a list of the affected LabCorp consumers or more specific.”

LabCorp said it has now ceased sending new collection requests to AMCA and stopped the collections agency from continuing to work on any pending requests involving LabCorp consumers.

Tuesday afternoon AMCA responded to the article MD+DI published about the Quest Diagnostics breach. 

“We are investigating a data incident involving an unauthorized user accessing the American Medical Collection Agency system,” AMCA said in the email. “Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page. We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident. We remain committed to our system’s security, data privacy, and the protection of personal information.”