LabCorp Patients Personal & Health Data Exposed in Website Error

by | Feb 2, 2020

Experts at TechCrunch have discovered a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the experts discovered found a flaw in the part of the system that gathered patient files from the back-end system. The flaw meant that patient data could be accessed without the needs for  a password and the web address was visible to search engines.

Google had cached only one document including the health data of a patient, but by amending ing the document number in the web address the researchers could open other documents containing patient health information.

The researchers reviewed a small selection of files to see what types of data had been breached. The documents mostly included data about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal data including names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers.

TechCrunch experts used computer commands to discover the number of documents accessible on the website. They structured the commands to send back information about the properties of the files, rather than opening the documents, to avoid accessing patient details. The analysis showed almost around 10,000 documents could potentially be accessed.

TechCrunch alerted LabCorp in relation to the issue and the server was taken offline while the flaw was addressed. The link to the exposed data has not yet been deleted from Google, but it is no longer active and cannot be used to access patient data.

The is the second significant security incident to be suffered by LabCorp in the past 12 months. The records of LabCorp patients were breached in the 26 million-record breach at American Medical Collection Agency (AMCA) in March 2019. 7.7 million LabCorp patients were first thought to have been affected, but the breach was reported to the HHS’ Office for Civil Rights as having imapcted up to 10,251,7847 LabCorp patients.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy