A vulnerability in LabCorp’s website that hosts the company’s internal customer relationship management system, exposed thousands (at least 10,000) of medical documents that contained names, dates of birth, Social Security numbers of patients, lab test results and diagnostic data. While the system was password-protected, the part of the website that pulls patient files from the back-end system was left exposed.
LabCorp Security Lapse Exposed Thousands of Medical Documents: https://t.co/0qSPtG07me #slashdot A security flaw in LabCorp's website exposed thousands of medical documents, like test results containing sensitive health data. From a report: It's the second incident in the past …
— Jimmy Persson (@Jimbo0o0) January 29, 2020
Breaches like the one affecting LabCorp illustrate the challenges of securely adopting SaaS at scale, particularly in highly targeted industries like healthcare. It’s the perfect example for why the next major trend in security is the adoption of solutions that enable fine-grained controls and visibility within a system, rather than just establishing perimeter controls. With the explosion of digital adopting across the healthcare industry, being able to manage data access at the individual level will become critical to securely managing medical data.
Breaches like the one affecting LabCorp illustrate the challenges of securing the increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. Despite billions of dollars in spending, we continue to see breaches and exposures of critical assets, as was the case here, on an almost daily basis. Enterprises must recognize that not all assets have similar value to the organization and that they should focus on the most critical assets. Organizations that are able to develop an accurate inventory of all assets in their organization, as well as the criticality of those assets, can more effectively reduce risk than other organizations. Broad sets of security controls and processes across all assets is a major contributing factor to waste in information security programs.
Digitalisation brings about a lot of benefits such as ease of information accessibility as well as environmental benefits that come with the elimination of printing and mailing paper copies to patients. With such benefits, digitalisation also introduces risk. Personal information such as that exposed within this incident is delicate. Personal medical information should clearly be handled securely. Systems storing and displaying personal information must be designed and developed with security mechanisms in place from the very beginning of the process. It must also be tested extensively before being deployed in order to avoid such mishaps as this. Unfortunately, when software security isn’t a priority, it can lead to a breach of privacy for a large number of individuals.
The LabCorp vulnerability is what’s known as a direct object reference. Any patient’s health information could be retrieved, without authorization, simply by changing a number in a URL. Although initial access to the web site was protected by a password, anyone could access patient health information without authentication. The situation is very much like locking the door of your house but leaving the windows wide open—anyone can come in and steal what they want.
This is a damaging vulnerability, both for patient privacy and LabCorp’s reputation, not to mention HIPAA violations. Unfortunately, it is also hardly surprising, given that the healthcare industry shows the longest time to identify and contain a breach (329 days!), according to the 2019 IBM Cost of a Data Breach report.
No security is perfect, and bad things can happen to anyone. However, this type of vulnerability has been old news for some time, and it should have been caught and addressed during the development of the patient information web site. In a secure development life cycle (SDLC), security is a consideration at every stage of development, from the design and architecture of a system through its implementation, testing, and maintenance. At best, this vulnerability would have been detected and fixed during the design of the system. At worst, it should have been found during testing. Even that would have been far better than releasing this vulnerability into the world and exposing patient’s confidential health information.
This is LabCorp’s second time making headlines in less than a year. Yes, this new breach is less egregious than last summer’s breach affecting 7.7 million in that only \”thousands of medical documents\” containing sensitive health data were impacted. However, the impact on the downstream lives of those thousands of affected patients may be significant, as there\’s a better-than-average chance that much of their PII is now on the dark web, leaving them vulnerable to identity theft, account takeover and even prescription fraud.