LabCorp recently went under fire after encountering a vulnerability on its website. The website vulnerability reportedly left thousands of medical files and documents exposed.
This is the second incident involving LabCorp. Prior to this 2020 incident, the clinical laboratory previously encountered a data breach in 2019. The data obtained credit card data via a third-party payments processor, states Tech Crunch.
For the June 2019 data breach, LabCorp compromised 7.7 million patients.
Meanwhile, the January 2020 vulnerability supposedly exposed thousands of medical documents to hackers and attacks. The bug was identified within the internal customer relationship management system. According to Tech Crunch, despite the system being protected with a password, “the part of the website designed to pull patient files from the back-end system was exposed.”
The visible and vulnerable aspect of the web address was then made available for public searching, thus becoming visible to different search engines. Tech Crunch also reports that the exposed back-end system was archived by Google.
Approximately 10,000 files were comprised of the bug. Most files contained patient information, such as names, dates of birth, and Social Security numbers. Tech Crunch revealed that from the documents they were able to examine, most cases came from cancer patients from the Oncology department.
Besides these details, the medical files also contained lab test results, information falling under the Health Insurance Portability and Accountability Act (HIPAA), and diagnostic outcomes.
The repercussions of this incident could bear a huge impact in the few years for patients who fall under the said department, Rachel Tobac, social engineer and hacker.Chase
In a statement to Tech Crunch, company representative Donald Von Hogan said, “I can confirm that we have terminated access to the system.”
In a further email to Becker’s Hospital Review, the spokesperson said, “LabCorp has determined that an internal LabCorp system used by our Integrated Oncology business was accessed externally. This did not affect any external customer, client, vendor or other systems.”
The spokesperson also revealed that “We disabled access to that system promptly upon our confirmation of the application vulnerability. We continue to investigate this incident and will take further action, including notifying affected patients or regulatory authorities, that may be required or appropriate. LabCorp takes our responsibility to safeguard personal information seriously, and we remain committed to protecting patient privacy and security.”
As of writing, the clinical laboratory company has yet to announce whether it has plans to inform state and federal authorities. However, it would take steps to inform patients affected by this website error.