Laboratory Services Cooperative (LSC), a medical testing provider based in Seattle, has reported a major cybersecurity incident that compromised the personal and medical data of approximately 1.6 million individuals. The breach, which occurred in October 2024, exposed a wide range of sensitive information, including patient and employee records.
The attack was first detected on October 27, when unauthorized access to LSC’s internal systems was discovered. Investigations revealed that cybercriminals had infiltrated the network and exfiltrated files containing highly confidential data. Affected information includes full names, physical and email addresses, phone numbers, dates of birth, and Social Security numbers. For some individuals, the breach extended to driver’s license or passport numbers, health insurance details such as provider name and policy numbers, and even sensitive medical records.
In many cases, diagnosis and treatment information, lab test results, medical record numbers, and service locations were also exposed. Financial data wasn’t spared either—billing records, bank account information, credit card details, claim numbers, and balance statements were all part of the compromised data.
Notably, employees of LSC were also affected. Information related to dependents and beneficiaries may have been accessed during the breach. Additionally, a portion of the impacted individuals includes patients from select Planned Parenthood centers that rely on LSC for lab testing services. However, the breach did not extend to all Planned Parenthood facilities—only those served by LSC were potentially affected.
In its official data breach notification, LSC confirmed that 1.6 million individuals are being contacted directly. The organization is offering complimentary credit monitoring and medical identity protection services for 12 to 24 months, depending on the severity of the exposure.
Despite the extent of the breach, LSC claims that there’s currently no evidence the stolen data has been shared or sold on the dark web. Cybersecurity experts were hired to monitor potential misuse, and so far, nothing suspicious has been flagged. However, the company has not disclosed the exact method of attack nor whether there were ransom demands involved.
This incident underscores the growing risk faced by healthcare organizations, especially those storing sensitive personal and medical data. Patients and employees are urged to stay alert for signs of identity theft or fraudulent activity.
