Flaw in LabCorp website exposes thousands of medical documents

A vulnerability in LabCorp's website allowed for thousands of medical documents, such as test results, to be searchable online, according to TechCrunch, which found the flaw.

The bug was found in LabCorp's internal customer relationship management system. While the system is password protected, the part of the website that was meant to pull patient files from the back-end system was unsecure. This unprotected web addresses ended up being searchable on Google.

TechCrunch estimates that at least 10,000 documents were exposed. Patient data that may have been compromised included names, dates of birth, Social Security numbers, test results and diagnostic information.

LabCorp has fixed the vulnerability. In a statement to TechCrunch, a company spokesperson said, "I can confirm that we have terminated access to the system."

This incident follows a June 2019 cybersecurity breach at LabCorp when the company learned that 7.7 million of its consumers may have had their data exposed by third party vendor American Medical Collection Agency.

"LabCorp has determined that an internal LabCorp system used by our Integrated Oncology business was accessed externally. This did not affect any external customer, client, vendor or other systems," said a LabCorp spokesperson in an emailed statement to Becker's Hospital Review. "We disabled access to that system promptly upon our confirmation of the application vulnerability. We continue to investigate this incident and will take further action, including notifying affected patients or regulatory authorities, that may be required or appropriate. LabCorp takes our responsibility to safeguard personal information seriously, and we remain committed to protecting patient privacy and security."

Editor's note: This story was updated Jan. 29 to include the statement from LabCorp. 

More articles on cybersecurity:
Health systems should update computer systems in wake of Iran tensions, H-ISAC says
3 cybersecurity predictions for 2020
Former NYC hospital employee pleads guilty to hacking coworkers' emails

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Featured Webinars

Featured Whitepapers