[BreachExchange] Flaw in LabCorp website exposes thousands of medical documents

Destry Winant destry at riskbasedsecurity.com
Wed Jan 29 10:03:23 EST 2020


https://www.beckershospitalreview.com/cybersecurity/flaw-in-labcorp-website-exposes-thousands-of-medical-documents.html

A vulnerability in LabCorp's website allowed for thousands of medical
documents, such as test results, to be searchable online, according to
TechCrunch, which found the flaw.

The bug was found in LabCorp's internal customer relationship
management system. While the system is password protected, the part of
the website that was meant to pull patient files from the back-end
system was unsecure. This unprotected web addresses ended up being
searchable on Google.

TechCrunch estimates that at least 10,000 documents were exposed.
Patient data that may have been compromised included names, dates of
birth, Social Security numbers, test results and diagnostic
information.

LabCorp has fixed the vulnerability. In a statement to TechCrunch, a
company spokesperson said, "I can confirm that we have terminated
access to the system."

This incident follows a June 2019 cybersecurity breach at LabCorp when
the company learned that 7.7 million of its consumers may have had
their data exposed by third party vendor American Medical Collection
Agency.

"LabCorp has determined that an internal LabCorp system used by our
Integrated Oncology business was accessed externally. This did not
affect any external customer, client, vendor or other systems," said a
LabCorp spokesperson in an emailed statement to Becker's Hospital
Review. "We disabled access to that system promptly upon our
confirmation of the application vulnerability. We continue to
investigate this incident and will take further action, including
notifying affected patients or regulatory authorities, that may be
required or appropriate. LabCorp takes our responsibility to safeguard
personal information seriously, and we remain committed to protecting
patient privacy and security."


More information about the BreachExchange mailing list