LabCorp Security Lapse Exposed Thousands of Medical Documents

A security flaw in LabCorp's website exposed thousands of medical documents, like test results containing sensitive health data. From a report: It's the second incident in the past year after LabCorp said in June that 7.7 million patients had been affected by a credit card data breach of a third-party payments processor. The breach also hit several other laboratory testing companies, including Quest Diagnostics. This latest security lapse was caused by a vulnerability on a part of LabCorp's website, understood to host the company's internal customer relationship management system. Although the system appeared to be protected with a password, the part of the website designed to pull patient files from the back-end system was left exposed. That unprotected web address was visible to search engines and was later cached by Google, making it accessible to anyone who knew where to look. The cached search result only returned one document -- a document containing a patient's health information. But changing and incrementing the document number in the web address made it possible to access other documents. The bug is now fixed.

Re:

[Anonymous Coward]

"suffering". I can't wait to spend my $.03 class action settlement check.

Re:

[AK Marc]

You are getting paid? The default is a $50 payment from Equifax to Equifax for "credit monitoring" they provide for free.

But, providing them all sorts of extra information to get a free service isn't worth it. I'll just claim if someone steals my worthless identity.

It's OK to do this

[AndyKron]

Don't worry, nobody's going to get in trouble over this. Just let it slide. It happens all the time and people just ignore it.

Re:

[OffTheLip]

I'm waiting for websites to contain language adopted by movie studios. Something like, "no management personnel were harmed" in the making of this product. Nor will they ever be.

Re:

[Wintermute__]

HIPAA actually does have some teeth, unlike some other privacy laws. Since this was protected health care information, there may be some hefty fines in store, as they are assessed per exposed record. We'll have to see what happens.

Re:

[AK Marc]

It took 10 years for HIPAA to go after data breaches, but they have prosecuted a few. They'll certainly look into this one, but who knows what they'll do about it. For the first 10 years, I got to use the "lots have been prosecuted for failure to release documents, but not a single one for an accidental leak" line. But I had to stop after they started hitting breaches. Most of the breaches are like this one, completely stupid opening of the back end to the front end with no auth at all.

I still fight t

Re:

[The Fifth Man]

I assume you showed the contractors the word addressable:
https://www.hhs.gov/hipaa/for-... [hhs.gov]

Show them that "addressable" doesn't mean optional and never did (you probably did):
https://www.hhs.gov/hipaa/for-... [hhs.gov]

I've also explained to consultants from PWC the nuances of HIPAA only to be ignored... I discovered that in 2014 when my firm dealt with them, their healthcare division was hiring people RIGHT out of college, having them read a 2 page HIPAA summary, take a 10 question test, and then billing out at astron

Re:

[AK Marc]

If you are sending the information over the Internet (or any unsecured communications channel), you are required to "protect" it. The cheapest and easiest way is to encrypt it in a VPN. So the Doctor has a VPN from the private server in her office to the private server in her house (not terminating on any shared or publicly addressible routers or other infrastructure). And the consultant came in and told her she's going to get fined if she doesn't encrypt the files, and send the files over and encrypted

Re:

[markdavis]

>"I still fight the "encryption is required" lying contractors, and I note the law literally says "encryption not required". Btu I get shouted down by the liars looking to get paid."

+1

For years I have been saying the same thing to contractors. It as if they have no idea what the law is. And somehow "encryption" is a magical protection. It isn't. It is just a tool, like passwords and other tools.

>"Most leaks are like this. The data was encrypted end to end, and the HTTPS delivered the leaked info.

All I can imagine is Walmart, CVS and Walgreens

[bobstreo]

and medical insurance companies harvesting these records as quickly as they possibly can.

Re:

[Wintermute__]

I'm thinking those companies are not likely that proactive, on the ball, or technically proficient to pull that off. If they were that good, maybe they could manage to do their actual jobs better. Incompetence is everywhere, especially in large organizations.

Re:

[account_deleted]

Comment removed based on user account deletion

GDRP

[jandoe]

Good thing there's GDRP now so proper fines will be... oh...

Website was modernized a little while ago

[jwymanm]

It was made pretty like the web 2.0 reactive dashboard like look. These use more api like calls so probably was rolled out rather quickly from dev and instead of password protecting stuff they rolled straight into production.