Breach of LabCorp Patients’ Personal and Health Data Due to Website Error

TechCrunch researchers found a security error on a website that LabCorp is using for hosting its internal customer relationship management system. Though the system comes with password protection, the researchers discovered an error in the back-end system and exposing patient records. The error made possible patient data access even with no security password and search engines have indexed the web URL.

Google had cached just one document that contains a patient’s health data. However, the researchers were able to see other patient records with health data just by modifying the document number in the web URL.

The researchers examined sample patient documents to find out which types of records were compromised. The documents associated with patients who had completed testing at the Integrated Oncology specialty screening department of LabCorp were exposed. The records contained private information including names, laboratory test information, diagnostic information, dates of birth and Social Security numbers of certain patients.

TechCrunch researchers used computer commands to uncover how many documents were accessible on the website. The commands used made possible the collection of information regarding the files’ properties without opening the documents to see the patient information. The investigation confirmed that nearly 10,000 documents were very much accessible.

TechCrunch notified LabCorp about the problem. Immediately, the clinical laboratory network disabled the server while rectifying the error. Google hasn’t taken out the cached link of the compromised record yet, nevertheless, the page does not appear online anymore and no patient data is viewable.

This is the second time that LabCorp had a serious security incident last year. In March 2019, the 26 million records breach that occurred at the American Medical Collection Agency (AMCA) impacted the files of LabCorp patients. To begin with, it was assumed that 7.7 million patients of LabCorp were impacted. Nevertheless, the breach report given to the HHS’ Office for Civil Rights mentioned that around 10,251,7847 patients of LabCorp were affected.