LabCorp Investigates a Potential Breach that Could Affect Millions

U.S. health diagnostics giant LabCorp has revealed that it detected “suspicious activity” on its network this past weekend, which disrupted its ability to process medical tests.

Patient access to testing results was also interrupted.

In an SEC filing on Monday, the Fortune 500 company said that it “immediately took certain systems offline as part of its comprehensive response to contain the activity.” Work has been ongoing to restore full system functionality, and while the testing capabilities are back online, other systems and functions may take a few days.

“Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process,” it said.

So far, no evidence of unauthorized transfer or misuse of data has cropped up, it added, although investigation is ongoing.

The North Carolina-based LabCorp is a behemoth in healthcare, and is the country’s largest processor of blood tests. However, it’s reach goes further than that. It offers clinical laboratory and drug development services to managed care organizations, biopharmaceutical companies, governmental agencies, physicians and other healthcare providers. According to its website, it employs nearly 60,000 employees worldwide, and processes more than 115 million patient “encounters” per year. The company tests more than 2.5 million patient specimens per week and supports clinical trial activity in approximately 100 countries.

In short, the potential ramifications of a data breach could be enormous, putting millions of people’s sensitive personal information at risk.

“Consider that LabCorp is one of the largest diagnostic laboratories in the world, and, as you may not be aware, is a very critical part of U.S. healthcare infrastructure,” Pravin Kothari, CEO of cybersecurity solution provider CipherCloud, said via email. “They have hundreds of networked labs across the United States and all of them are likely interconnected centrally with LabCorp headquarters. This may be one of the largest healthcare networks in the world with connections to many thousands of physician offices, hospitals and their testing facility offices worldwide.”

The decision to shut down the entire LabCorp network while determining the extent of the breach was a wise one, Kothari said. The move stops possible information exfiltration, the destruction of patient data or a targeted ransomware attack .

“The single largest part of any patient record is almost always diagnostic tests,” Kothari said. “LabCorp connects electronically to many physician electronic medical record/electronic healthcare record (EMR/EHR) systems to both receive requests from physicians for patient testing, and then to return the results… These systems also still work and interconnect with facsimile machines present in physician offices. All of this presents, at some point, perhaps an increased risk of cyberattacks propagating and moving through this expanded ecosystem.”

That complexity means that, as for other healthcare entities, the attack surface is wide and could contain many points of network vulnerability to these networks – something that cybercriminals are well aware of.

“Health care networks remain under sustained attack by cybercriminals who intentionally target health care networks for two primary reasons – to steal the medical records they contain and to extort ransom payments. Medical records are prime targets, as this data is highly prized to support identity theft and financial fraud,” according to a April report by Cryptonite and the Medical Device Innovation, Safety and Security Consortium.

“From a broad mix of medical devices, to internet of things (IoT) device and more, healthcare networks present a broad opportunity for cyberthieves to find safe harbor from which to identify and steal patient data,” according the report.

In this case, the details as to the nature and duration of the suspicious activity, which systems were affected, whether patient information was compromised, the attack vector and in general, the impact of the incident remain unclarified as of this writing. That’s a state of affairs that’s likely to change going forward, given the sheer size of the player involved.

“Unfortunately, in a potential breach this large, it is almost de rigueur for the department of Health and Human Services, Office of Civil Rights (HHS/OCR) to request a HIPAA audit of LabCorp and possibly closely related business partners that may get caught up in the breach,” Kothari said. “LabCorp will have to weather the cost, and risk, of any HIPAA audit and the continued cost and negative news as the saga unfolds.”