Expert Comments

LabCorp Exposes Thousands Of Medical Documents – Commentary

Expert(s): Security Experts
Expert(s): Security Experts

A vulnerability in LabCorp’s website that hosts the company’s internal customer relationship management system, exposed thousands (at least 10,000) of medical documents that contained names, dates of birth, Social Security numbers of patients, lab test results and diagnostic data. While the system was password-protected, the part of the website that pulls patient files from the back-end system was left exposed.

Experts Comments

Dot Your Expert Comments
Boris Cipot
January 29, 2020
Senior Sales Engineer
Synopsys

Personal information such as that exposed within this incident is delicate.
Digitalisation brings about a lot of benefits such as ease of information accessibility as well as environmental benefits that come with the elimination of printing and mailing paper copies to patients. With such benefits, digitalisation also introduces risk. Personal information such as that exposed within this incident is delicate. Personal medical information should clearly be handled securely. Systems storing and displaying personal information must be designed and developed with security.....Read More
Digitalisation brings about a lot of benefits such as ease of information accessibility as well as environmental benefits that come with the elimination of printing and mailing paper copies to patients. With such benefits, digitalisation also introduces risk. Personal information such as that exposed within this incident is delicate. Personal medical information should clearly be handled securely. Systems storing and displaying personal information must be designed and developed with security mechanisms in place from the very beginning of the process. It must also be tested extensively before being deployed in order to avoid such mishaps as this. Unfortunately, when software security isn’t a priority, it can lead to a breach of privacy for a large number of individuals.  Read Less
Jonathan Knudsen
January 29, 2020
Senior Security Strategist
Synopsys

No security is perfect, and bad things can happen to anyone.
The LabCorp vulnerability is what’s known as a direct object reference. Any patient’s health information could be retrieved, without authorization, simply by changing a number in a URL. Although initial access to the web site was protected by a password, anyone could access patient health information without authentication. The situation is very much like locking the door of your house but leaving the windows wide open—anyone can come in and steal what they want. This is a damaging.....Read More
The LabCorp vulnerability is what’s known as a direct object reference. Any patient’s health information could be retrieved, without authorization, simply by changing a number in a URL. Although initial access to the web site was protected by a password, anyone could access patient health information without authentication. The situation is very much like locking the door of your house but leaving the windows wide open—anyone can come in and steal what they want. This is a damaging vulnerability, both for patient privacy and LabCorp’s reputation, not to mention HIPAA violations. Unfortunately, it is also hardly surprising, given that the healthcare industry shows the longest time to identify and contain a breach (329 days!), according to the 2019 IBM Cost of a Data Breach report. No security is perfect, and bad things can happen to anyone. However, this type of vulnerability has been old news for some time, and it should have been caught and addressed during the development of the patient information web site. In a secure development life cycle (SDLC), security is a consideration at every stage of development, from the design and architecture of a system through its implementation, testing, and maintenance. At best, this vulnerability would have been detected and fixed during the design of the system. At worst, it should have been found during testing. Even that would have been far better than releasing this vulnerability into the world and exposing patient’s confidential health information.  Read Less
Robert Prigge
January 29, 2020
CEO
Jumio

However, the impact on the downstream lives of those thousands of affected patients may be significant.
This is LabCorp’s second time making headlines in less than a year. Yes, this new breach is less egregious than last summer’s breach affecting 7.7 million in that only "thousands of medical documents" containing sensitive health data were impacted. However, the impact on the downstream lives of those thousands of affected patients may be significant, as there's a better-than-average chance that much of their PII is now on the dark web, leaving them vulnerable to identity theft, account.....Read More
This is LabCorp’s second time making headlines in less than a year. Yes, this new breach is less egregious than last summer’s breach affecting 7.7 million in that only "thousands of medical documents" containing sensitive health data were impacted. However, the impact on the downstream lives of those thousands of affected patients may be significant, as there's a better-than-average chance that much of their PII is now on the dark web, leaving them vulnerable to identity theft, account takeover and even prescription fraud.  Read Less
Piyush Pandey
January 30, 2020
CEO
Appsian

Breaches like the one affecting LabCorp illustrate the challenges of securely adopting SaaS at scale.
Breaches like the one affecting LabCorp illustrate the challenges of securely adopting SaaS at scale, particularly in highly targeted industries like healthcare. It’s the perfect example for why the next major trend in security is the adoption of solutions that enable fine-grained controls and visibility within a system, rather than just establishing perimeter controls. With the explosion of digital adopting across the healthcare industry, being able to manage data access at the individual.....Read More
Breaches like the one affecting LabCorp illustrate the challenges of securely adopting SaaS at scale, particularly in highly targeted industries like healthcare. It’s the perfect example for why the next major trend in security is the adoption of solutions that enable fine-grained controls and visibility within a system, rather than just establishing perimeter controls. With the explosion of digital adopting across the healthcare industry, being able to manage data access at the individual level will become critical to securely managing medical data.  Read Less
Vinay Sridhara
January 30, 2020
CTO
Balbix

Organizations that are able to develop an accurate inventory of all assets in their organization.
Breaches like the one affecting LabCorp illustrate the challenges of securing the increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. Despite billions of dollars in spending, we continue to see breaches and exposures of critical assets, as was the case here, on an almost daily basis. Enterprises must recognize that not all assets have similar value to the organization and that they should focus on the most critical assets. Organizations that are able.....Read More
Breaches like the one affecting LabCorp illustrate the challenges of securing the increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. Despite billions of dollars in spending, we continue to see breaches and exposures of critical assets, as was the case here, on an almost daily basis. Enterprises must recognize that not all assets have similar value to the organization and that they should focus on the most critical assets. Organizations that are able to develop an accurate inventory of all assets in their organization, as well as the criticality of those assets, can more effectively reduce risk than other organizations. Broad sets of security controls and processes across all assets is a major contributing factor to waste in information security programs.  Read Less
Stephan Chenette
January 29, 2020
Co-Founder and CTO
AttackIQ

LabCorp and other healthcare organizations, who manage large amounts of confidential patient information.
The healthcare industry is one the primary targets for cybercriminals because selling protected health information (PHI) on dark web marketplaces can be extremely profitable. Unlike, for example, financial data, healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which thieves can leverage to commit identity theft for years to come. LabCorp and other healthcare organizations, who manage large amounts of confidential patient information,.....Read More
The healthcare industry is one the primary targets for cybercriminals because selling protected health information (PHI) on dark web marketplaces can be extremely profitable. Unlike, for example, financial data, healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which thieves can leverage to commit identity theft for years to come. LabCorp and other healthcare organizations, who manage large amounts of confidential patient information, must take proactive approaches to protect their data. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats. They should also employ continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses. Additionally, organizations should do their due diligence in ensuring third-party partners are practicing adequate security measures and extend testing to partners as well.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Fake App Attacks On The Rise, As Malware Hides In...

Expert On Study That Brits Using Pets’ Names As Online...

Expert Reaction On Europol Publishes Its Serious And Organised Crime...

Fake Netflix App Allows Hackers to Hijack WhatsApp

Hackers Pretend To Be Your Friend In The Latest WhatsApp...

Millions Of Brits Still Using Pet’s Names As Passwords Despite...

Advertised Sites May Appear Genuine On First Glance

Facebook Ran Ads For Malware-ridden ‘Clubhouse for PC’

Linkedin Data Of 500 Million Users Being Sold Online

Experts Comments On Identity Management Day – Tuesday 13th April