LabCorp Patients Personal & Health Data Exposed in Website Error

Experts at TechCrunch have discovered a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the experts discovered found a flaw in the part of the system that gathered patient files from the back-end system. The flaw meant that patient data could be accessed without the needs for  a password and the web address was visible to search engines.

Google had cached only one document including the health data of a patient, but by amending ing the document number in the web address the researchers could open other documents containing patient health information.

The researchers reviewed a small selection of files to see what types of data had been breached. The documents mostly included data about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal data including names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers.

TechCrunch experts used computer commands to discover the number of documents accessible on the website. They structured the commands to send back information about the properties of the files, rather than opening the documents, to avoid accessing patient details. The analysis showed almost around 10,000 documents could potentially be accessed.

TechCrunch alerted LabCorp in relation to the issue and the server was taken offline while the flaw was addressed. The link to the exposed data has not yet been deleted from Google, but it is no longer active and cannot be used to access patient data.

The is the second significant security incident to be suffered by LabCorp in the past 12 months. The records of LabCorp patients were breached in the 26 million-record breach at American Medical Collection Agency (AMCA) in March 2019. 7.7 million LabCorp patients were first thought to have been affected, but the breach was reported to the HHS’ Office for Civil Rights as having imapcted up to 10,251,7847 LabCorp patients.