FOR ALL CLINICAL LABORATORIES AND PATHOLOGISTS, the hacking problems Laboratory Corporation of America experienced earlier this month are a reminder that unwanted IT attacks are not a matter of if, but when. It is an accepted fact that labs and other medical providers are at higher risk of such attacks because computer hackers value patients’ medical data higher than they do other hackable data.
This is why IT security experts advise all healthcare providers to have cybersecurity insurance coverage, at a minimum. As a result of having such coverage, LabCorp minimized the costs it incurred to investigate and stop the attack on its systems over the weekend of July 14 and 15, according to LabCorp Chairman and CEO David P. King.
During that weekend, staff at LabCorp detected suspicious activity in the company’s computer systems. In a statement issued following the discovery of the activity, LabCorp said that it took its systems offline—a step that affected test processing and customer access to test results.
By Monday, July 16, the company said it was working to restore full system functionality as quickly as possible. It added that testing operations had substantially resumed and that other systems would be restored within several days.
Ryan Parry, West Coast correspondent for the UK’s DailyMail.com, reported on July 16 that hackers had breached LabCorp’s IT and that a company insider said senior managers were informed that the company’s entire computer network was shut down across the entire United States on the morning of Sunday July 15.
During a conference call with Wall Street analysts 10 days later, on July 25, David P. King addressed what he called “the recent ransomware event,” saying operations had returned to normal.
When IT staff detected suspicious activity on its network, the company took certain systems offline to protect patients’ private information, he said. “This decision was the right one, although it led to a disruption in service which required approximately one week for recovery.”
Working with independent forensic IT experts, LabCorp found no evidence of theft or misuse of data, he said. “We believe the financial impact will not be significant and the company has cyber insurance coverage,” he added.
The data analytics company Veriphyr reported in May that, for hackers, a single patient’s personal health information is worth $50 on the black market. That is why hackers are targeting patients’ healthcare data. For comparison, the company said Social Security numbers are worth only $3 each; credit card information, $1.50; date of birth, $3; and mother’s maiden name, $6.
“One reason for the high value is that a person cannot cancel their own medical history, but they can always cancel a stolen credit card number,” the company said. “This makes it much harder to prevent stolen medical data from being used by criminals.”