Pierluigi Paganini April 11, 2025

Laboratory Services Cooperative discloses a data breach from October 2024 that exposed personal and medical info of 1.6 million individuals.

Laboratory Services Cooperative disclosed a data breach that impacted the personal and medical information of 1.6 million people.

The Laboratory Services Cooperative (LSC) is a clinical laboratory based in Bremerton, Washington, providing diagnostic testing services primarily to Planned Parenthood centers across 31 U.S. states. Their services support reproductive health and other medical testing needs.

The incident took place in October 2024, LSC is notifying impacted individuals. The company did not provide details about the attack.

On October 27, 2024, the Laboratory Services Cooperative detected suspicious network activity and launched an investigation with the help of cybersecurity experts. They found that an unauthorized party accessed and removed files. A third-party vendor was engaged to assess the impacted individuals.

The stolen data from the LSC breach may include names, addresses, phone numbers, and emails, as well as medical information (diagnoses, lab results, treatment details), health insurance details (plan info, member IDs), billing and payment data (bank account and card info), and sensitive identifiers like Social Security numbers, driver’s license or passport numbers, dates of birth, and student or government IDs.

“The specific information involved is not the same for everyone.” reads the notice of data breach. “It depends on the individual’s relationship with LSC but may include contact details such as name, address, phone number, and email, along with one or more of the following categories:

• Medical/Clinical Information: This may include information such as date(s) of service, diagnoses, treatment, medical record number, lab results, patient/accession number, provider name, treatment location, and related-care details.
• Health Insurance Information: This may encompass plan name, plan type, insurance companies, and member/group ID numbers.
• Billing, Claims, and Payment Data: This could involve claim numbers, billing details, bank account details (including bank name, account number, and routing number), billing codes, payment card details, balance details, and similar banking and financial information.
• Additional Identifiers: This may include Social Security Number, driver’s license or state ID number, passport number, date of birth, demographic data, student ID number, and other forms of government identifiers.

For LSC workers, the breach may also include information about their dependents or beneficiaries, if such details were provided to LSC.

The incident did not impact all Planned Parenthood centers, the security breach only those that used lab testing services from LSC may have been impacted.

The company provides impacted individuals with 12 or 24 months of free credit monitoring and medical identity protection services through CyEx Medical Shield Complete.

After detecting suspicious activity, LSC acted swiftly to investigate and secure its systems. They hired cybersecurity experts to monitor the dark web, but so far, no evidence suggests that stolen data has surfaced there.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Laboratory Services Cooperative)