LabCorp attack highlights persistent ransomware threat to health sector

Ransomware has hit the vast medical-testing and blood diagnostics company LabCorp, the latest health care organization to be targeted by the hostage-taking malware.
(Getty Images)

Ransomware has hit the vast medical-testing and blood diagnostics company LabCorp, the latest health care organization to be targeted by the digital-hostage-taking malware.

After detecting “suspicious activity” on its IT network over the weekend of July 14, LabCorp determined that it had been affected by “a new variant of ransomware,” company spokeswoman Pattie Kushner told CyberScoop.

The North Carolina-based company, which has 60,000 employees worldwide and processes 2.5 million patient samples per week, is working with outside security experts and law enforcement to recover from the attack.

The company took certain systems offline to clear them of the ransomware, which has “affected some test processing and customer access to test results,” Kushner said.


“Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed, and we are working to restore additional systems and functions over the next several days,” she added.

The ransomware was only detected on the company’s diagnostics network and did not affect its Covance drug-development systems, according to LabCorp. “Our investigation has found no evidence of theft or misuse of data,” Kushner told CyberScoop.

The Wall Street Journal broke the news Thursday morning that ransomware had infected LabCorp following a report on Monday from the Daily Mail of a cyberattack on the company.

Kushner would not comment when CyberScoop asked whether, as the Journal reported, the infamous SamSam strain of ransomware is likely what hit LabCorp. She also did not comment on whether a ransom had been demanded or paid.

Growing pains


The SamSam ransomware wreaked havoc on Atlanta’s municipal agencies in March, disrupting online processing for residents’ utility bills and court cases. SamSam also struck an Indiana hospital’s computer network in January; hospital officials paid hackers roughly $50,000 to unlock the data.

The high value of medical data makes the sector a natural target for hackers looking for a big payoff.

Allan Liska, senior security architect at cyberthreat intelligence company Recorded Future, told CyberScoop that the health care sector has gotten better at defending against indiscriminate ransomware like Locky. However, Liska said, “where they’re now struggling is with these targeted attacks” like those that use SamSam.

Investigators detected the breach at a genetic-testing business that LabCorp recently acquired – one that hadn’t yet aligned its technology with LabCorp’s, according to The Journal.

Liska said the mismatch between an acquired company’s security and that of its parent organization is all too common.


“That period while you’re bringing that subsidiary up is actually very dangerous because you now have a trusted part of your network that has a lower security posture and … that can give an attacker access,” added Liska, who has responded to health care sector data breaches.

Tony Cole, a cybersecurity consultant who also has done incident response in the sector, told CyberScoop that the challenges of securing health data, from medical records to outdated medical devices, are myriad.

“Health care breaches are a major concern and the levels of criticality are entirely dependent on the threat actor(s) involved,” said Cole, who is CTO of cybersecurity company Attivo Networks. “The companies that make up this part of our critical infrastructure have a hard job of keeping data secure at rest and in transit across a vast swath of different systems.”

John Riggi, a former top FBI cybersecurity official, told CyberScoop that organizations should have “good offline, network segmented backups” to fortify themselves against ransomware attacks.

“Organizations should also carefully scrutinize the necessity of and security of vendors that have access to the backups,” said Riggi, who is now senior advisor for cybersecurity and risk at the American Hospital Association. “Recently, some ransomware perpetrators have begun targeting vendor access to the backups as the initial line of attack.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts