Quest Diagnostics said the personal information of 11.9 million customers has potentially been compromised.
The clinical laboratory company said in a release that an "unauthorized user" gained access to a system used by American Medical Collection Agency (AMCA), a billing vendor hired by a Quest contractor called Optum360.
Quest said the information that may have been exposed included Social Security numbers and medical information, but not test results.
AMCA first notified Quest on May 14 of "potential unauthorized activity" on its payment page, Quest said. Two weeks later, according to Quest, AMCA then told Quest and Optum360 more about the breach, including the number of patients potentially affected and what information was accessed.
Quest said it has suspended using AMCA and that it was using "forensic experts" to examine the issue.
It also said that AMCA has not provided "detailed or complete information" about the hack, including which customers might have been affected. AMCA and Optum360 did not immediately respond to a request for comment from CNN Business.
"We are committed to keeping our patients, health care providers, and all relevant parties informed as we learn more," Quest said in the release.
Quest's stock was unchanged on the news. The company has roughly 2,200 locations across the United States, according to its website.