LabCorp Website Bug Exposed Thousands Of Medical Documents (Jan 28, 2020)
The US-based healthcare company, LapCorp, which operates networks of large clinical laboratories across Pan America, has exposed approximately 10,000 medical documents that affects an unspecified amount of people. The part of the website that pulls from the back end was left exposed with web addresses being viewable in search engines and cached by Google. Any user would be able to view each document by incrementing the document number in the web address. The documents relate to cancer patients being monitored by the laboratory’s integrated oncology testing unit, and contained other information such as Date of Birth (DOB), lab test results of patients, names, social security numbers and other pieces of Personally Identifiable Information (PII). LabCorp has since disabled access to the system with Google links no longer resolving to patients documents. This puts many patients at risk of phishing campaigns using their legitimate medical history as lure and the risk of identity fraud and extortion.
Recommendation: It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity or in the case of LapCorp, the discovery of PII. To protect the identity and finances of affected individuals, patients may pursue identity theft services that can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.