Medical Diagnostics Firm LabCorp Leaked Thousands Of Confidential Medical Records
LabCorp is one of the largest medical laboratory companies in the country. Chances are high that anyone who has had lab tests run at the doctor's office or hospital has used LabCorp at some point. The company had a major security flaw with its website that exposed confidential medical documents, including lab test results.
The breach is reportedly the result of a vulnerability on the LabCorp website that has to do with its internal customer relationship management system. The system was apparently misconfigured, and the website component designed to pull patient files from the back-end was left exposed. The system appeared to be protected with a password.
The unprotected web address for the back-end fetching system was left exposed, was visible to search engines, and subsequently was cached by Google. Anyone who knew where to look could see the data. The cached data was for a single patient's health information, but seeing other records was as easy as incrementing the document number in the web address. LabCorp has reportedly fixed the bug; but that was after at least 10,000 documents were already exposed.
Most of the data belonged to cancer patients that the laboratory was working with under its oncology specialty testing unit. Data exposed in the leak included name, date of birth, and in some cases, the social security numbers of the people. The leaked data is considered protected health information under HIPAA, which packs hefty fines for mishandling information of this sort.
Under HIPAA, fines for leaking data of this sort range from $100 to $50,000 per violation; each leaked piece of data represents a separate violation. The maximum penalty is $1.5 million per year for violations of an identical provision. LabCorp has said that it will notify patients as necessary about the leaked information.