Share this article on:
Researchers at TechCrunch have identified a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the researchers found a flaw in the part of the system that pulled patient files from the back-end system. The flaw allowed patient data to be accessed without requiring a password and the web address was visible to search engines.
Google had cached only one document containing the health data of a patient, but by changing the document number in the web address the researchers were able to open other documents containing patient health information.
The researchers examined a small selection of files to see what types of data had been exposed. The documents mostly contained information about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal information such as names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers.
TechCrunch researchers used computer commands to determine the number of documents accessible on the website. They structured the commands to return information about the properties of the files, rather than opening the documents, to avoid accessing patient information. The analysis revealed around 10,000 documents could potentially be accessed.
TechCrunch notified LabCorp about the issue and the server was taken offline while the flaw was corrected. The link to the exposed data has not yet been removed from Google, but it is no longer active and cannot be used to view patient data.
The is the second major security incident to be experienced by LabCorp in the past 12 months. The records of LabCorp patients were exposed in the 26 million-record breach at American Medical Collection Agency (AMCA) in March 2019. 7.7 million LabCorp patients were initially thought to have been affected, but the breach was reported to the HHS’ Office for Civil Rights as having affected up to 10,251,7847 LabCorp patients.