UPDATED 23:26 EDT / JUNE 05 2019

SECURITY

7.7M patient records stolen in latest hack of lab testing firm LabCorp

The saying “Once bitten, twice shy” doesn’t always apply to cybersecurity. The latest example: Lab testing firm Laboratory Corp. of America Holdings, better known as LabCorp, revealed Tuesday that it has been hacked again 11 months after its last one.

The latest LabCorp hack involved the theft of 7.7 million patient records that included patient names, dates of birth, addresses, phone numbers, dates of service and provider along with in some cases credit card and bank account information. The disclosure only came via a filing with the U.S. Securities and Exchange Commission, with the company not providing details of the hack on its own website as of Wednesday evening.

The hack is directly related to the same one that affected Quest Diagnostics Inc. Monday. The data theft in both cases involved a third-party payment processing software provider called American Medical Collection Agency Inc.

The attack is believed to be have involved the Magecart Group, a group that targets payment systems. Magecart has been previously credited for the hacks of Oxo International Ltd. as well as Newegg Inc., the Infowars StoreCathay Pacific Airways Ltd., British Airways and Ticketmaster Entertainment Inc.

“Recent Magecart attacks against medical services (a somewhat non-obvious target) reveal a degree of sophistication in target selection from the threat actors,” Kevin Stear, lead threat analyst at JASK Inc., told SiliconANGLE.  “And as the web-skimmer threat extends to more and more obscure targets, these campaigns also raise some questions about the accepted e-commerce security standards for online payment processing.”

Michael Covington, vice president of product strategy at Wandera Inc. notes that this series of breaches reveals the downside of the increasingly common habit of most organizations to rely on third parties to provide critical functions to enable their business.

“In order to offer a service, these third-parties often need access to employee, customer and even patient medical data,” Covington explained. “Businesses that think they are in full control of their sensitive data are seriously mistaken.”

And there’s nothing consumers can do, he said, especially since many of the third parties aren’t vetted by information technology security staff. “You can’t stop going to the doctor because you’re afraid of a data breach,” he said. “Your physician, hospital, pharmacy and diagnostics provider all must access your data to keep you healthy.”

Image: LabCorp

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU