LabCorp Exposes Thousands Of Medical Documents – Commentary

A vulnerability in LabCorp’s website that hosts the company’s internal customer relationship management system, exposed thousands (at least 10,000) of medical documents that contained names, dates of birth, Social Security numbers of patients, lab test results and diagnostic data. While the system was password-protected, the part of the website that pulls patient files from the back-end system was left exposed.

Experts Comments

January 29, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
Digitalisation brings about a lot of benefits such as ease of information accessibility as well as environmental benefits that come with the elimination of printing and mailing paper copies to patients. With such benefits, digitalisation also introduces risk. Personal information such as that exposed within this incident is delicate. Personal medical information should clearly be handled securely. Systems storing and displaying personal information must be designed and developed with security.....Read More
Digitalisation brings about a lot of benefits such as ease of information accessibility as well as environmental benefits that come with the elimination of printing and mailing paper copies to patients. With such benefits, digitalisation also introduces risk. Personal information such as that exposed within this incident is delicate. Personal medical information should clearly be handled securely. Systems storing and displaying personal information must be designed and developed with security mechanisms in place from the very beginning of the process. It must also be tested extensively before being deployed in order to avoid such mishaps as this. Unfortunately, when software security isn’t a priority, it can lead to a breach of privacy for a large number of individuals.  Read Less
January 29, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
The LabCorp vulnerability is what’s known as a direct object reference. Any patient’s health information could be retrieved, without authorization, simply by changing a number in a URL. Although initial access to the web site was protected by a password, anyone could access patient health information without authentication. The situation is very much like locking the door of your house but leaving the windows wide open—anyone can come in and steal what they want. This is a damaging.....Read More
The LabCorp vulnerability is what’s known as a direct object reference. Any patient’s health information could be retrieved, without authorization, simply by changing a number in a URL. Although initial access to the web site was protected by a password, anyone could access patient health information without authentication. The situation is very much like locking the door of your house but leaving the windows wide open—anyone can come in and steal what they want. This is a damaging vulnerability, both for patient privacy and LabCorp’s reputation, not to mention HIPAA violations. Unfortunately, it is also hardly surprising, given that the healthcare industry shows the longest time to identify and contain a breach (329 days!), according to the 2019 IBM Cost of a Data Breach report. No security is perfect, and bad things can happen to anyone. However, this type of vulnerability has been old news for some time, and it should have been caught and addressed during the development of the patient information web site. In a secure development life cycle (SDLC), security is a consideration at every stage of development, from the design and architecture of a system through its implementation, testing, and maintenance. At best, this vulnerability would have been detected and fixed during the design of the system. At worst, it should have been found during testing. Even that would have been far better than releasing this vulnerability into the world and exposing patient’s confidential health information.  Read Less
January 29, 2020
Robert Prigge
CEO
Jumio
This is LabCorp’s second time making headlines in less than a year. Yes, this new breach is less egregious than last summer’s breach affecting 7.7 million in that only "thousands of medical documents" containing sensitive health data were impacted. However, the impact on the downstream lives of those thousands of affected patients may be significant, as there's a better-than-average chance that much of their PII is now on the dark web, leaving them vulnerable to identity theft, account.....Read More
This is LabCorp’s second time making headlines in less than a year. Yes, this new breach is less egregious than last summer’s breach affecting 7.7 million in that only "thousands of medical documents" containing sensitive health data were impacted. However, the impact on the downstream lives of those thousands of affected patients may be significant, as there's a better-than-average chance that much of their PII is now on the dark web, leaving them vulnerable to identity theft, account takeover and even prescription fraud.  Read Less
January 30, 2020
Piyush Pandey
CEO
Appsian
Breaches like the one affecting LabCorp illustrate the challenges of securely adopting SaaS at scale, particularly in highly targeted industries like healthcare. It’s the perfect example for why the next major trend in security is the adoption of solutions that enable fine-grained controls and visibility within a system, rather than just establishing perimeter controls. With the explosion of digital adopting across the healthcare industry, being able to manage data access at the individual.....Read More
Breaches like the one affecting LabCorp illustrate the challenges of securely adopting SaaS at scale, particularly in highly targeted industries like healthcare. It’s the perfect example for why the next major trend in security is the adoption of solutions that enable fine-grained controls and visibility within a system, rather than just establishing perimeter controls. With the explosion of digital adopting across the healthcare industry, being able to manage data access at the individual level will become critical to securely managing medical data.  Read Less
January 30, 2020
Vinay Sridhara
CTO
Balbix
Breaches like the one affecting LabCorp illustrate the challenges of securing the increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. Despite billions of dollars in spending, we continue to see breaches and exposures of critical assets, as was the case here, on an almost daily basis. Enterprises must recognize that not all assets have similar value to the organization and that they should focus on the most critical assets. Organizations that are able.....Read More
Breaches like the one affecting LabCorp illustrate the challenges of securing the increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. Despite billions of dollars in spending, we continue to see breaches and exposures of critical assets, as was the case here, on an almost daily basis. Enterprises must recognize that not all assets have similar value to the organization and that they should focus on the most critical assets. Organizations that are able to develop an accurate inventory of all assets in their organization, as well as the criticality of those assets, can more effectively reduce risk than other organizations. Broad sets of security controls and processes across all assets is a major contributing factor to waste in information security programs.  Read Less
January 29, 2020
Stephan Chenette
Co-Founder and CTO
AttackIQ
The healthcare industry is one the primary targets for cybercriminals because selling protected health information (PHI) on dark web marketplaces can be extremely profitable. Unlike, for example, financial data, healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which thieves can leverage to commit identity theft for years to come. LabCorp and other healthcare organizations, who manage large amounts of confidential patient information,.....Read More
The healthcare industry is one the primary targets for cybercriminals because selling protected health information (PHI) on dark web marketplaces can be extremely profitable. Unlike, for example, financial data, healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which thieves can leverage to commit identity theft for years to come. LabCorp and other healthcare organizations, who manage large amounts of confidential patient information, must take proactive approaches to protect their data. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats. They should also employ continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses. Additionally, organizations should do their due diligence in ensuring third-party partners are practicing adequate security measures and extend testing to partners as well.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.