HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Website Error Exposed Personal and Health Data of LabCorp Patients

Researchers at TechCrunch have identified a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the researchers found a flaw in the part of the system that pulled patient files from the back-end system. The flaw allowed patient data to be accessed without requiring a password and the web address was visible to search engines.

Google had cached only one document containing the health data of a patient, but by changing the document number in the web address the researchers were able to open other documents containing patient health information.

The researchers examined a small selection of files to see what types of data had been exposed. The documents mostly contained information about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal information such as names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers.

TechCrunch researchers used computer commands to determine the number of documents accessible on the website. They structured the commands to return information about the properties of the files, rather than opening the documents, to avoid accessing patient information. The analysis revealed around 10,000 documents could potentially be accessed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

TechCrunch notified LabCorp about the issue and the server was taken offline while the flaw was corrected. The link to the exposed data has not yet been removed from Google, but it is no longer active and cannot be used to view patient data.

The is the second major security incident to be experienced by LabCorp in the past 12 months. The records of LabCorp patients were exposed in the 26 million-record breach at American Medical Collection Agency (AMCA) in March 2019. 7.7 million LabCorp patients were initially thought to have been affected, but the breach was reported to the HHS’ Office for Civil Rights as having affected up to 10,251,7847 LabCorp patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.