American Medical Collection Agency, a billing collections service provider, said an "unauthorized user" accessed the agency's system that contained personal information from various entities, including Quest patients, the clinic said in a statement Monday.
The leaked data includes names, birth dates, addresses, phone numbers, financial information and medial information.
AMCA's breached system included financial information such as credit card numbers and bank account information, medical information, and personal information such as Social Security numbers, according to Quest's SEC filing in which it detailed information that AMCA had provided.
A full list of the affected customers has not been shared with LabCorp.
"The increased dependency on third party service providers entails a level of losing control, which in turn requires organizations to ensure their core assets are built securely and constantly tested", said Uri Barel, the Global Head of Cyber Security Practice at software testing company Qualitest.
Quest, LabCorp and Opko each said this week that have stopped sending bill requests to AMCA.
The data breach is estimated to have affected about 11.9 million customers of Quest Diagnostics and about 7.7 million of LabCorp.
BioReference has not sent any collection requests to AMCA since October 2018, and it will not send any new collection requests to AMCA, Opko Health said in the filing.
AMCA is investigating the incident, has notified law enforcement and is providing 24 months of free credit monitoring to affected patients, the collection agency said when reached for comment.
Opko Health said its affected unit, BioReference Laboratories Inc, suspended collection requests to AMCA since October a year ago, and has asked the vendor to stop working on any pending collection requests involving the company's customers.
In a similar recent incident, a data breach at Inmediata Health Group, a healthcare billing and administrative service provider, exposed the personal and medical data of MI residents.