LabCorp Security Lapse Exposed Thousands of Medical Documents

A security flaw in LabCorp’s website exposed thousands of medical documents, like test results containing sensitive health data. From a report:

image

It’s the second incident in the past year after LabCorp said in June that 7.7 million patients had been affected by a credit card data breach of a third-party payments processor. The breach also hit several other laboratory testing companies, including Quest Diagnostics. This latest security lapse was caused by a vulnerability on a part of LabCorp’s website, understood to host the company’s internal customer relationship management system.

Although the system appeared to be protected with a password, the part of the website designed to pull patient files from the back-end system was left exposed. That unprotected web address was visible to search engines and was later cached by Google, making it accessible to anyone who knew where to look.

  • The cached search result only returned one document – a document containing a patient’s health information. But changing and incrementing the document number in the web address made it possible to access other documents. The bug is now fixed.
3 Likes