LabCorp has confirmed that its internal system was accessed by an unauthorized person but would not give any further details pertaining to the number of people or types of data possibly affected.
In a statement to SC Media, LabCorp said it has determined that an internal company system used by its Integrated Oncology business was accessed externally. LaborCorp added that no customer, client, vendor or other external system was affected and that access to the system in question was immediately disabled.
“We continue to investigate this incident and will take further action, including notifying affected patients or regulatory authorities, that may be required or appropriate,” the company said.
TechCrunch offered more details reporting the vulnerability was due to the company leaving part of its database unprotected. The unprotected URL was searched and indexed by Google exposing a single document, however, by changing the document number others could be accessed. TechCrunch research found about 10,000 documents could be exposed in this manner which contained a large amount of PHI on each patient including Social Security numbers and test results.
The vulnerability has been fixed.
"The LabCorp security flaw is a case of Insecure Direct Object References Vulnerability that allowed the attacker to discover and bypass authorization and access critical resources directly by modifying the value of a parameter (which was most likely a patient ID) in order to gain access to patient PII data. Such critical resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization and validation checks,” said Chetan Conikee, chief technology officer at ShiftLeft.
This is the second data incident LabCorp has been involved with within the last seven months. In June the company reported 7.7 million of its customers were part of the American Medical Collection Agency (AMCA) data breach. This breach affected in excess of 20 million people resulted in AMCA’s parent firm the bill collection firm Retrieval-Masters Creditors Bureau to file for Chapter 11 bankruptcy.
“Yes, this new breach is less egregious than last summer’s breach affecting 7.7 million in that only ‘thousands of medical documents’ containing sensitive health data were impacted. However, the impact on the downstream lives of those thousands of affected patients may be significant, as there's a better-than-average chance that much of their PII is now on the dark web, leaving them vulnerable to identity theft, account takeover and even prescription fraud,” said Robert Prigge, CEO of Jumio.