Over one million impacted as laboratory service declares serious data breach

Scientists using laboratory instruments. — Image by © Tim Sandle

Laboratory Services Cooperative (LSC), a nonprofit that provides centralized laboratory services, including to select Planned Parenthood centers, disclosed a breach exposing the sensitive information of 1.6 million individuals.

LSC says it identified suspicious activity within its network on October 27, 2024. An investigation revealed that an unauthorized third party gained access to portions of LSC’s network and accessed/removed certain files belonging to LSC.

The data exposed includes social security numbers, banking and insurance information, and diagnoses, among other sensitive information. Information on dependents or beneficiaries was also compromised for LSC employees.

Lack of transparency?

“The investigation confirmed that an unauthorized third party had successfully penetrated our network security perimeter and exfiltrated certain files containing protected information,” said a spokesperson for LSC in their official statement. 

“We’ve implemented comprehensive post-breach protocols to mitigate further risks.”

The organization did not say what type of cyberattack it fell victim to and whether it received any extortion attempts. 

Given the continued targeting of healthcare organizations by threat actors, as well as broader concerns around data privacy, this issue raises further concerns in the relation to the robustness of the cybersecurity policies of major companies.

To develop the insight into this data breach, Digital Journal has heard from Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ.

How, when and why

Costis begins by outlining the background to the company and the cybersecurity issue afflicting it: “Seattle-based lab testing provider Laboratory Services Cooperative has announced it suffered a data breach that impacted over 1.6 million people in its systems. The initial breach took place in October 2024, when an unknown third party gained unauthorized access to LSC’s network.

Costis adds additional context: “The nonprofit organization provides reproductive health services across 35 states, and serves a vital role in providing support to organizations by handling sensitive data and operations. The information that was stolen includes social security numbers, banking and insurance information, and medical information like lab results and diagnoses.”

There is a particular reason why medical and healthcare-related enterprises are most often targeted by criminal entities. Costis develops this: “Given the invaluable nature of the data they safeguard, healthcare entities are persistently targeted by malicious threat actors. This is just the latest development in the recent trend of medical organizations having highly sensitive information breached or put at risk, with California Cryobank and 23andMe coming to mind as recent examples.”

Corrective actions

To paraphrase Lenin, ‘What is to be done?’ Here Costis proposes: “Amidst these ongoing threats, organizations in the healthcare sector must adopt a proactive cyber defense. Security teams should continuously test their systems against real-world tactics, techniques, and procedures (TTPs) used by threat actors.”

In addition, he recommends: “By emulating these attacks and assessing system responses, vulnerabilities can be identified and addressed promptly, enabling these organizations to stay ahead of these threats and effectively safeguard patient data.”