Healthcare Compliance Training and Certification

HIPAA News

LabCorp Patients Personal & Health Data Exposed in Website Error

by | Feb 2, 2020

Experts at TechCrunch have discovered a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the experts discovered found a flaw in the part of the system that gathered patient files from the back-end system. The flaw meant that patient data could be accessed without the needs for  a password and the web address was visible to search engines.

Google had cached only one document including the health data of a patient, but by amending ing the document number in the web address the researchers could open other documents containing patient health information.

The researchers reviewed a small selection of files to see what types of data had been breached. The documents mostly included data about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal data including names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers.

TechCrunch experts used computer commands to discover the number of documents accessible on the website. They structured the commands to send back information about the properties of the files, rather than opening the documents, to avoid accessing patient details. The analysis showed almost around 10,000 documents could potentially be accessed.

TechCrunch alerted LabCorp in relation to the issue and the server was taken offline while the flaw was addressed. The link to the exposed data has not yet been deleted from Google, but it is no longer active and cannot be used to access patient data.

The is the second significant security incident to be suffered by LabCorp in the past 12 months. The records of LabCorp patients were breached in the 26 million-record breach at American Medical Collection Agency (AMCA) in March 2019. 7.7 million LabCorp patients were first thought to have been affected, but the breach was reported to the HHS’ Office for Civil Rights as having imapcted up to 10,251,7847 LabCorp patients.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy