Ransomware Attack Targets Patient Data at LabCorp

LabCorp is a North Carolina-based laboratory testing facility managing over 2.5 million lab tests per week at over 1,900 patient centers throughout the United States. LabCorp is also a recent victim of a major ransomware attack. In a ransomware attack, the assailant uses a program to encrypt a computer and all of its files and demands payment to unlock the information.

Such was the case for LabCorp. The assailants allegedly used a ransomware strain known as SamSam and threatened to compromise the privacy of millions of patients and their diagnostic data in the process. SamSam, a strain often used in hacking medical data, is not a new strain; those who use it comb the web for unpatched server-side software and sneak into the system unnoticed by spraying malicious emails across the servers or use drive-by downloading techniques whereby the user is infected after being directed to visit a seemingly normal but compromised web page.

SamSam has already been the culprit of litigation brought in the medical industry. SamSam brought with it a massive lawsuit involving billion-dollar American healthcare company Allscripts, which now faces a lawsuit by client affected by the incident who allege Allscripts failed to secure systems and data after being infected by the ransomware. The key language alleged against Allscripts is that “Allscripts was aware… that deficiencies in its product and services could result in privacy and security vulnerability or compromises and failed to take adequate measures to protect against any such event.” The plaintiffs substantiate their claim with a recent Allscripts 10-K filing with the SEC that explains cybersecurity risks that health care institutions like itself face. The fact that a company can potentially be held liable for alleged negligence related to a third-party ransomware attack should concern companies with large amounts of digitalized data.

While no misuse of data has been discovered to this point in the LabCorp breach, the attack is a reminder that digitalization of more data inherently leads to the vulnerability of more private and sensitive information than ever before, a world that laws will have to feverishly keep up with. Many such laws exist, but many more are surely on the horizon as every new technological breakthrough brings with it a new potential ransomware target.

The threat to any business infected by ransomware such as SamSam is real and can have a crippling effect on your company. It is always important to avoid clicking into suspicious emails and unknown web addresses and to always keep in contact with your attorney who should be up to speed on the latest changes in data technology law, appropriate systems of protection for your business, and the latest ransomware and fraud hoaxes.

For specific advice on how to navigate data technology law and protect the private and confidential information of your business, please contact Adli Law Group, P.C.

See, Patrick Howell O’Niell, https://www.cyberscoop.com/allscripts-lawsuit-cybersecurity-samsam-ransomware/.