TechCrunch researchers discovered a security error in a website that is used for hosting LabCorp’s internal customer relationship management system. Although the system has password protection, the researchers identified an error in the back-end system where patient records are taken. The error permitted patient data access even without a password and the web URL was indexed by search engines.
Google had cached just one document that contains a patient’s health data. However, the researchers were able to see other patient records with health data just by modifying the document number in the web URL.
The researchers analyzed sample documents to find out what types of information were compromised. The documents primarily included data of patients who had undergone tests at the Integrated Oncology specialty testing unit of LabCorp. The documents contained the following personal data: names and birth dates, laboratory test results and diagnostic information, and Social Security numbers of some patients.
TechCrunch researchers made an effort to find out how many documents could be accessed on the website by using computer commands. They used commands that would return information regarding the files’ properties, instead of opening the files and accessing the patient data. The analysis showed that approximately 10,000 documents were potentially accessible.
TechCrunch alerted LabCorp concerning the challenge and the clinical laboratory network took the server offline while fixing the error. Google has not yet removed the cached link of the exposed document, but the page is not active anymore and patient data is not viewable.
This is LabCorp’s second serious security incident in the last 12 months. In March 2019, LabCorp patients’ records were compromised in the American Medical Collection Agency (AMCA) breach involving 26 million records. Initially, it was thought that 7.7 million LabCorp patients were affected. However, the breach report submitted to the HHS’ Office for Civil Rights indicated that about 10,251,7847 LabCorp patients were impacted.