Security experts at TechCrunch have discovered a security flaw in a website hosting an internal customer relationship management system deployed the clinical laboratory network LabCorp. While the system was password protected, the experts identified a flaw in the part of the system that extracted patient files from the back-end system. The flaw meant that patient data could be obtained without the need for a password and the web address was listed on to search engines.
Google had cached a single document that included the health data of a patient, but by amending the document number in the web address the researchers were able to open other documents including patient health information.
The security experts reviewed a small sample of files to see what types of data had been breached. The documents mostly included information about patients who had tests carried out by LabCorp’s Integrated Oncology specialty testing unit. The documents included personal information such as names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security information.
TechCrunch security experts deployed computer commands to see the number of documents accessible on the website. They structured the commands to bring back information regarding the properties of the files,instead of opening the documents, to avoid viewing patient information. The analysis showed around 10,000 documents may have been accessed.
TechCrunch contacted LabCorp in relation to the issue and the server was taken offline while the flaw was addressed. The link to the exposed data has not yet been deleted from Google, but it is no longer live and cannot be used to access patient data.
The is the second major security breach to be suffered by LabCorp in the past year. The records of LabCorp patients were breached in the 26 million-record breach at American Medical Collection Agency (AMCA) during March 2019. In that breach 7.7 million LabCorp patients were first thought to have been impacted. However, but the breach was reported to the HHS’ Office for Civil Rights as having infiltrated the personal data of up to 10,251,7847 LabCorp patients.