Less than a year after a massive data leak exposed the contact and payment information of 7.7 million patients, American clinical testing giant LabCorp has experienced another significant breach. The number of affected patients is much lower this time – estimated to be somewhere over 10,000 documents. But those that were exposed may have to deal with more damaging information leaking out, chiefly their Social Security number.
Another LabCorp data leak, this time with medical records
It is unclear how long the system was left exposed, but the public was not notified of the breach until January 30. LabCorp has said that the vulnerability is now fixed.
The data leak appears to primarily affect cancer patients who had tests run through LabCorp’s Integrated Oncology unit. An investigation by TechCrunch found that at least 10,000 of these records were accessible over the internet without a password.
Data exposed in these records includes names, dates of birth, Social Security numbers (though these were not present in all records), and protected medical information such as lab test results and diagnostic data.
An apparent misconfiguration in the company’s customer relations management system was the cause of the breach. This is an internal system that is normally protected with a password. However, a portion of the system designed to pull patient records somehow became publicly accessible without requiring login credentials. A patient record from this system was cached by Google; the TechCrunch investigation revealed that more patient records could be viewed by making incremental changes to a document number in the URL.
The incident follows a data leak in May of last year that impacted a third-party payment system used by LabCorp. That leak did not expose any medical records, but it leaked the contact information of over seven million patients and in some cases include billing data (such as credit card and bank account numbers).
How dangerous is this breach?
Most of the information about this incident comes from TechCrunch, with LabCorp thus far releasing or confirming little information about it. It is therefore impossible to know for sure if other parties made use of this data leak before the TechCrunch investigators discovered and reported it.
Anyone who might have been impacted should assume that the data was scooped up by some other source, however. It was visible to search engines for an unknown period of time, with no hacking acumen required to access it. A simple Google search could have led anyone to it.
The leaked medical records are almost certainly a violation of the Health Insurance Portability and Accountability Act (HIPAA), however. Lab test and diagnostic information falls under a protected category. State and federal HIPAA fines can range from $100 to $50,000 per record with maximum penalties of up to $1.5 million per year.
Records with Social Security numbers provide more than enough information for identity theft. The other medical records might also be used for scams in which hackers pose as physicians and patient care organizations. These are quite common and come in a variety of forms. Hackers could make use of this information to identify vulnerable targets and approach them directly – senior citizens are most frequently targeted in this way. But hackers have also used information of this sort to forge health information for smuggling purposes, file fraudulent insurance claims and buy controlled drugs to resell them.
Is LabCorp particularly vulnerable?
While two breaches in a year is a serious failing that needs to be addressed, it is also not necessarily uncommon for an organization in the health care field that is the size of LabCorp.
“Breaches like the one affecting LabCorp illustrate the challenges of securely adopting SaaS at scale, particularly in highly targeted industries like healthcare. It’s the perfect example for why the next major trend in security is the adoption of solutions that enable fine-grained controls and visibility within a system, rather than just establishing perimeter controls. With the explosion of digital adopting across the healthcare industry, being able to manage data access at the individual level will become critical to securely managing medical data.”
“Breaches like the one affecting LabCorp illustrate the challenges of securing the increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. Despite billions of dollars in spending, we continue to see breaches and exposures of critical assets, as was the case here, on an almost daily basis. Enterprises must recognize that not all assets have similar value to the organization and that they should focus on the most critical assets. Organizations that are able to develop an accurate inventory of all assets in their organization, as well as the criticality of those assets, can more effectively reduce risk than other organizations. Broad sets of security controls and processes across all assets is a major contributing factor to waste in information security programs.”
With little public information available about the more recent LabCorp data leak, it is difficult to analyze and unproductive to point fingers. Leaving a backend medical records system exposed is a serious failing that needs to be addressed, but on its own is not indicative of some sort of deep problems in the company.
It is more concerning when looked at through the lens of the much larger breach that occurred just nine months ago. That breach was of a different nature, originating with a vendor (the American Medical Collection Agency, which filed for bankruptcy and liquidated its assets only weeks after the data leak hit the news). That breach also stung Quest Diagnostics for 12 million of their medical records.
So the two clear and immediate needs for LabCorp are to revise their policies regarding vendor cybersecurity screening and monitoring, and to ensure proper IT staffing and training. The company is on their third strike, however, and yet another breach could prove devastating. Attempts will certainly be coming given the renewed attraction of threat actors to health care targets overflowing with medical records.
The company will very likely have to absorb some HIPAA fines for this most recent breach; were they to receive the minimum fine for each of the exposed medical records, they would still be looking at something close to the annual $1.5 million maximum. A class action suit pertaining to the 2019 data leak has also been filed in New York and is in the investigation phase. With an annual revenue of about $11 billion, however, LabCorp will likely weather these blows. The big question is if the company can continue to afford data breaches as stronger regulations (such as the California Consumer Privacy Act) come online.