LabCorp has confirmed that its
internal system was accessed by an unauthorized person but would not give any
further details pertaining to the number of people or types of data possibly
affected.
In a statement to SC Media, LabCorp
said it has determined that an internal company system used by its Integrated
Oncology business was accessed externally. LaborCorp added that no customer,
client, vendor or other external system was affected and that access to the
system in question was immediately disabled.
“We continue to investigate
this incident and will take further action, including notifying affected
patients or regulatory authorities, that may be required or appropriate,” the company
said.
TechCrunch offered more details reporting the vulnerability was due to the company leaving part of its database unprotected. The unprotected URL was searched and indexed by Google exposing a single document, however, by changing the document number others could be accessed. TechCrunch research found about 10,000 documents could be exposed in this manner which contained a large amount of PHI on each patient including Social Security numbers and test results.
The vulnerability has been
fixed.
“The LabCorp security
flaw is a case of Insecure Direct Object References Vulnerability that allowed
the attacker to discover and bypass authorization and access critical resources
directly by modifying the value of a parameter (which was most likely a patient
ID) in order to gain access to patient PII data. Such critical resources can be
database entries belonging to other users, files in the system, and more. This
is caused by the fact that the application takes user supplied input and uses
it to retrieve an object without performing sufficient authorization and
validation checks,” said Chetan Conikee, chief technology officer at ShiftLeft.
This is the second data
incident LabCorp
has been involved with within the last seven months. In June the company reported
7.7 million of its customers were part of the American Medical Collection
Agency (AMCA) data breach. This breach affected in excess of 20 million people
resulted in AMCA’s parent firm the bill collection firm Retrieval-Masters
Creditors Bureau to file for Chapter 11 bankruptcy.
“Yes, this new breach is less
egregious than last summer’s breach affecting 7.7 million in that only ‘thousands
of medical documents’ containing sensitive health data were impacted. However,
the impact on the downstream lives of those thousands of affected patients may
be significant, as there’s a better-than-average chance that much of their PII
is now on the dark web, leaving them vulnerable to identity theft, account
takeover and even prescription fraud,” said Robert Prigge, CEO of Jumio.
