Pravin Kothari, CEO of cybersecurity solution provider CipherCloud, today commented on news that LabCorp is investigating a data breach on its computer network that potentially putting millions of people’s sensitive personal information at risk:
Pravin Kothari, CEO at CipherCloud:
“The LabCorp data breach is yet another heavy blow in the continued assault on healthcare. Consider that LabCorp is one of the largest diagnostic laboratories in the world, and, as you may not be aware, is a very critical part of U.S. healthcare infrastructure. They have hundreds of networked labs across the United States and all of them are likely interconnected centrally with LabCorp headquarters. This may be one of the largest healthcare networks in the world with connections to many thousands of physician offices, hospitals and their testing facility offices worldwide.
LabCorp made the wise decision to shut down their entire network while determining the extent of the breach. Taking this preventive action may be warranted especially if they are shutting down to stop the propagation of a targeted ransomware attack and the possible destruction of patient laboratory data.
Consider that the single largest part of any patient record is almost always diagnostic tests. LabCorp connects electronically to many physician electronic medical record/electronic healthcare record (EMR/EHR) systems to both receive requests from physicians for patient testing, and then to return the results. Results are sometimes stored and sent using digital data, and other times using digital images of the test requests and test results. These systems also still work and interconnect with facsimile machines present in physician offices. As mentioned earlier, LabCorp also has connections to most of the hospitals and other clinics in the United States. All of this presents, at some point, perhaps an increased risk of cyberattacks propagating and moving through this expanded ecosystem.
LabCorp no doubt has reviewed and likely beefed up their cybersecurity and HIPAA compliance processes given their recent experiences with HIPAA related litigation. Unfortunately, in a potential breach this large, it is almost de rigueur for the department of Health and Human Services, Office of Civil Rights (HHS/OCR) to request a HIPAA audit of LabCorp and possibly closely related business partners that may get caught up in the breach. LabCorp will have to weather the cost, and risk, of any HIPAA audit and the continued cost and negative news as the saga unfolds.”