For eightmonths, an unauthorized user had access to personal informationincluding credit card numbers and bank accounts, medicalinformation, and personal information. (Image:Shutterstock)

An estimated 11.9 million patients' personal and medical information may have been exposed in adata breach of a collections agency that works with QuestDiagnostics Inc. and the insurer UnitedHealth Group Inc.

Quest said in a securities filing that it had been informed ofthe breach by American Medical Collection Agency, an Elmsford, NewYork-based collections firm. For eight months, an unauthorized userhad access to personal information including credit card numbersand bank accounts, medical information, and personal informationsuch as Social Security numbers.

Related: Data breach stalls HealthCare.gov's directenrollment system

Quest, which operates medical testing centers around the U.S.,said it has suspended sending collections requests to AMCA and isworking with law enforcement and with UnitedHealth on the effectsof the breach. Quest said it was informed of the incident on May14.

Medical records are a frequent target of hackers. Along withfinancial information, they often contain personal healthinformation as well as identifying data like social securitynumbers that can provide a richer tapestry of information foridentity theft.

Quest said it hadn't been able to verify information about thehack shared with it by AMCA. It wasn't immediately clear if otherhealth-care companies had been affected.

Shares of Quest were up less than 1% to $96.51 at 9:55 a.m. inNew York.

Read more: 

• One year later: The influence of Equifax &other data breaches on corporate culture
• How to reduce cybersecurity risk to employees'health data
• Accidental data breaches remain the leading causeof loss

Copyright 2019 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.