Lab testing firm Laboratory Corp. of America Holdings, better known as LabCorp, is back in the news again for all the wrong reasons: TechCrunch today reported that the company left thousands of medical documents exposed online.

LabCorp was last in the news in June when 7.7 million patient records were stolen. They included patient names, dates of birth, addresses, phone numbers, dates of service and provider along with in some cases credit card and bank account information. And in July 2018, the company was a victim of a ransomware attack.

This time around, LabCorp exposed the patient records via an unsecured part of its customer relationship management system. Whether the data was accessed by bad actors isn’t clear, but TechCrunch noted that the data, which primarily related to cancer patients, could be found with only simple effort.

The data included names, dates of birth and in some cases Social Security numbers of patients. In addition, some of the exposed data included lab test results and diagnostic data — protected data under the Health Insurance Portability and Accountability Act or HIPAA.

“The LabCorp security flaw is a case of Insecure Direct Object References Vulnerability that allowed the attacker to discover and bypass authorization and access critical resources directly,” Chetan Conikee, chief technology officer of continuous application security platform provider ShiftLeft Inc., told SiliconANGLE. Likely the attacker modified the value of a parameter, probably a patient ID, in order to gain access to personally identifiable information data, he added.

“Such critical resources can be database entries belonging to other users, files in the system and more,” Conikee said. “This is caused by the fact that the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization and validation checks.”

Robert Prigge, chief executive officer of identity verification company Jumio Corp., thinks the impact on the lives of thousands of affected patients may be significant, since there’s a good chance much of their information is now on the dark web, a shady part of the internet reachable with special software. That leaves them vulnerable to identity theft, account takeover and even prescription fraud.

The healthcare industry is a prime target for cybercriminals because the data can be very profitable when sold on the dark web, said Stephan Chenette, co-founder and CTO of enterprise security firm AttackIQ Inc.

“Unlike, for example, financial data, healthcare data usually contains fixed information, such as dates of birth and Social Security numbers, which thieves can leverage to commit identity theft for years to come,” Chenette explained. “LabCorp and other healthcare organizations, who manage large amounts of confidential patient information, must take proactive approaches to protect their data.”

Image: LabCorp