Getty Images/iStockphoto

Health Data, Medical Documents Exposed by LabCorp Website Error

TechCrunch found the back-end of LabCorp’s internal customer relationship management system exposing patient health data; several phishing attacks complete this week’s breach roundup.

An error in an internal customer relationship management system website of LabCorp left the health data and medical documents of thousands of patients exposed online, according to TechCrunch.

TechCrunch researchers discovered the flaw on part of the site that pulled patient files from the back-end of the system. At first glance it appeared the system was password-protected, but they found that portion of the site was left exposed to the internet and was visible in search engines, later cached by Google.

While the cached search first returned just one document, the researchers were able to change and increment the document number in the web address that allowed access to other documents. According to the report, anyone who knew where to look for the data could have seen the exposed information.

Researchers used computer commands to communicate with the exposed server to determine just how many documents were exposed and found at least 10,000 documents. The exposed data was primarily related to cancer patients from LabCorp’s Integrated Oncology testing unit.

The compromised data included patient names, dates of birth, Social Security numbers, lab results, and diagnostics data.

TechCrunch discovered the error and notified LabCorp, which has since closed outside access. LabCorp did not confirm if the documents found belonged to the vendor.

This is the second massive security incident for LabCorp in the last year. The testing giant was included in the more than 25 million American Medical Collection Agency breach victims, which included 7.7 million LabCorp patients. The companies have faced investigations and lawsuits following those reports.

200K Patients Impacted in June 2019 PIH Health Breach

Seven months after discovering a security incident, PIH Health is notifying nearly 200,000 patients that their data was potentially compromised after a targeted phishing campaign.

On June 18, 2019, officials said they discovered several employee email accounts had been compromised and potentially accessed. The email system and network were quickly secured, which included password resets.

An investigation assisted by a third-party cybersecurity team concluded in October and revealed those accounts were accessed for one week between June 11 and June 18. A second investigation was launched at that time to determine whether patient health information was contained in the impacted accounts.

On November 12, they determined the accounts contained information from both current and former PIH Health patients. The notification did not outline the type of data compromised by the incident. Officials stressed the breach was contained to the email accounts.

The notification should serve as a reminder that under HIPAA, covered entities are required to report PHI breaches within 60 days of discovery. Often, providers will choose to preemptively notify patients and then update its final tally once the investigation has concluded, as demonstrated by Ramsey County in Minnesota.

Adventist Health Phishing Attack

A phishing attack on Washington-based Adventist Health potentially compromised the data of about 2,653 patients.

On September 30, the information security team discovered a health associate fell victim to a phishing attack that compromised their Office 365 account credentials, including their hospital email account. The hacker used the stolen credentials to then access the employee’s email account in an attempt to redirect invoice payments and defraud the hospital and its vendors.

The account was immediately locked down by the security team, which then launched an investigation to confirm other hospitals systems were not affected. Law enforcement was also contacted.

Officials said they determined the account contained PHI in October, which included patient names, dates of birth, medical record numbers, hospital account numbers, insurance details, and other care-related information.

“We will also continue to provide regular reminders and training for associates on how to spot and avoid being victimized by phishing emails in the future,” officials wrote. “Cybercriminals will continue to find new ways to target company associates, and we must all continue to be vigilant against increasingly sophisticated phishing schemes.”

Next Steps

Dig Deeper on Healthcare data breaches