Full Report
The breach affecting Laboratory Services Cooperative involves sensitive information about medical care, as well as bank account details.
Analysis Summary
# Incident Report: Laboratory Services Cooperative (LSC) Data Breach
## Executive Summary
Laboratory Services Cooperative (LSC), a lab company serving Planned Parenthood centers across numerous states, suffered a significant data breach discovered on October 27th. Cybercriminals accessed and exfiltrated sensitive medical and personal information belonging to approximately 1.6 million individuals. LSC completed its investigation in February and is providing credit monitoring while facing potential heightened scrutiny due to the sensitive nature of the healthcare data involved.
## Incident Details
- **Discovery Date:** October 27 (Year not specified, implied to be prior to February of the reporting year)
- **Incident Date:** Attack occurred prior to October 27
- **Affected Organization:** Laboratory Services Cooperative (LSC)
- **Sector:** Healthcare / Laboratory Services, serving Reproductive Healthcare organizations
- **Geography:** United States (services provided across 30 states + D.C.)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, occurred prior to October 27.
- **Vector:** Cyberattack (method unspecified).
- **Details:** Attackers gained access to the LSC network and subsequently accessed and removed files.
### Lateral Movement
- *Details not provided in the source material.*
### Data Exfiltration/Impact
- **Date/Time:** Concluded by February (investigation closure).
- **Details:** Cybercriminals accessed and removed files containing protected health information (PHI) and personally identifiable information (PII) for approximately 1.6 million individuals.
### Detection & Response
- **Date/Time:** Discovery on October 27; Investigation completed in February.
- **Details:** LSC discovered the cyberattack on October 27 and immediately began an investigation. They have since hired cybersecurity firms to monitor the dark web. Breach notifications were filed in multiple states, including Maine and California.
## Attack Methodology
- **Initial Access:** Unknown (General cyberattack).
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Access and removal of files containing medical and personal data.
- **Exfiltration:** Stolen files were removed from the network.
- **Impact:** Disclosure of sensitive medical and personal data.
## Impact Assessment
- **Financial:** Victims offered one year of credit monitoring services. (Internal investigation costs unknown).
- **Data Breach:** Approximately 1.6 million individuals affected. Data includes: medical information (dates of service, diagnosis, treatments, lab results, treatment locations, care details), PII (health insurance numbers, bank account details, payment cards, SSNs, IDs), and employee/beneficiary data.
- **Operational:** No specific operational downtime was detailed, but data loss occurred.
- **Reputational:** High potential for reputational harm due to the extremely sensitive nature of the exposed data, particularly involving reproductive healthcare and patients of Planned Parenthood centers.
## Indicators of Compromise
- **Network indicators:** None specified (URLs/IPs defanged for reporting).
- **File indicators:** None specified.
- **Behavioral indicators:** Unauthorized access and removal of files from the LSC network.
## Response Actions
- **Containment:** Implicitly began upon discovery on October 27.
- **Eradication:** Investigation completed in February, suggesting threat actors were removed, though the timing of eradication is not specified.
- **Recovery:** Hired cybersecurity firms to monitor the dark web. Notifying affected parties and offering one year of credit monitoring.
## Lessons Learned
- The organization's security posture proved vulnerable to a successful cyberattack resulting in large-scale data exfiltration.
- The process of detection (Oct 27) to full investigation completion (Feb) spanned several months, indicating a complex or long-running incident.
- Third-party vendor risk (LSC servicing Planned Parenthood) proved to be a major liability, exposing patient data across a wide geographic scope.
## Recommendations
- Immediately review and enhance network segmentation and access controls, especially concerning sensitive PHI data repositories.
- Increase the frequency and depth of proactive threat hunting and monitoring across the network.
- Conduct a thorough review of Data Security Agreements (DSAs) with all third-party service providers like LSC to ensure compliance and robust security standards are met by vendors handling sensitive patient data.
- Enhance incident response playbooks tailored for large-scale healthcare data breaches.