LabCorp Cannot Catch a Break as a New Data Breach Is Revealed

A healthcare organization's involvement in a cybersecurity incident can never be good news. If it has to deal with two separate attacks in the span of less than eleven months, it's even more worrying, and when its customers have to suffer the consequences of three unrelated security breaches in about a year and a half, it's safe to say that the problems are quite significant. Unfortunately, this is exactly what has happened to LabCorp, one of the world's largest laboratory networks. In late-January, it became apparent that its customers were put at risk for the third time in a little over 18 months, and this breach seems to be more serious than the previous two. Before we get to it, however, let's remind ourselves about LabCorp's past cybersecurity woes.

The first incident took place in July 2018. Back then, LabCorp detected suspicious activity on its systems, which, it later turned out, was caused by the SamSam ransomware. The IT team pulled down affected computers and servers, and the threat was contained relatively quickly. LabCorp apparently had backups, and the situation was resolved without any sensitive data getting lost or leaked.

Things were a bit different in June 2019 when LabCorp admitted that a data breach had put the personal and financial information of around 7.7 million patients at risk. The laboratory network's face was saved to some extent by the fact that the attack wasn't aimed at LabCorp itself. Instead, the data breach happened at American Medical Collection Agency (AMCA) – a billing company that was working with quite a few healthcare organizations. The attack was indeed massive, and the fallout was so horrific that AMCA soon had no other choice, but to file for bankruptcy.

LabCorp was not to blame for that particular incident. For the latest breach, however, the responsibility lies solely with the laboratory network.

A security bug in LabCorp’s website put thousands of documents at risk

Last month, TechCrunch's Zach Whittaker discovered a flaw with LabCorp's internal Customer Relationship Management (CRM) system. The system itself was connected to the internet, but it was protected by a password. Whittaker found out, however, that one of the CRM's most crucial parts, the mechanism that pulls patients' medical documents from LabCorp's backend, was accessible without authentication.

In Whittaker's words, "anyone who knew where to look" could locate the data leak, and to his horror, the reporter then discovered a document that had already been crawled over and cached by Google. To make matters worse, Whittaker also realized that by incrementing the name of the document (which was visible in his address bar) he could gain access to other files.

TechCrunch's reporter used a computer script to automate the process and get a better understanding of the scope of the breach. Instead of scanning through the contents of all documents, his program would just query the server for the existence of files with incrementally different names. It turned out that the response was positive for no fewer than 10 thousand documents.

The exposed documents leaked a lot of sensitive information

Whittaker wanted to understand how serious the leak was before reporting it to LabCorp. He took a small sample of the exposed documents and opened them to see what's in them. The files contained names, dates of birth, lab test results, and diagnostic reports. In some cases, people's Social Security Numbers were also accessible in the documents.

Given the nature of the leaked information, LabCorp could be facing some heavy fines under the Health Insurance Portability and Accountability Act (HIPAA), but perhaps more worryingly, the exposed details make affected individuals prime targets for identity theft. This is why, Whittaker wasted no time informing LabCorp about the bug, and the server was soon pulled offline.

LabCorp is reluctant to talk about the incident

Zack Whittaker didn't have an easy time confirming that the leaked data was genuine. Some of the affected individuals he tried to contact had passed away while others didn't respond to his attempts to get in touch. One person did say that the information in the file was real, but it must be said that even without their confirmation, there should be little doubt in anyone's mind that the exposed documents contain valid data. After all, TechCrunch's cybersecurity reporter discovered them on LabCorp's server, and the laboratory company closed the leak itself.

Despite this, LabCorp refuses to issue an official statement on the matter. The previous two cybersecurity incidents were brought to the public's attention thanks to SEC filings, but now, LabCorp is unwilling to give anything more than a brief reply from a spokesperson. The company did tell TechCrunch that the bug has now been squashed, and it did promise to inform affected patients. LabCorp can't really deny the fact that the leaked documents were hosted on its servers, but according to TechCrunch, it is refusing to confirm that the files contain "LabCorp information."

We're not sure if this is doing the North Carolina-based company any favors. It's the third time LabCorp has made the news for all the wrong reasons, and unlike the first two incidents, this time, it doesn't seem to be particularly transparent about it. Hopefully, someone will realize that this isn't a very good strategy, and soon enough, we'll hear more about the potential exposure straight from the horse's mouth.