Medical testing company Quest Diagnostics revealed on Monday that a third-party billing company has been hit by a data breach affecting 11.9 million patients. The breach affected the personal information of the patients, including Social Security numbers, financial information and medical data.

The company made the revelation in a filing with the Securities and Exchange Commission. In the filling, the company stated that the breach was the outcome of unauthorized access to the American Medical Collection Agency, (AMCA) system, a billing collection service provider for Quest.

The breach dated back to between August 1, 2018 and May 31, 2019, the company stated. The breach also affected data from Optum360, a Quest contractor that also uses the AMCA’s billing services.

Quest stated that it was yet to receive “complete information” on the details of the breach from the AMCA, such as which customers were impacted, and that it has also not been able to verify that the breach took place.

This is the second breach affecting Quest customers in three years. In 2016, the company said 34,000 patients had data stolen by hackers.