US lab testing provider exposed health data of 1.6 million people

Laboratory Services Cooperative (LSC) has released a statement informing it suffered a data breach where hackers stole sensitive information of roughly 1.6 million people from its systems.

LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers.

It plays a crucial role within its niche, supporting organizations in the reproductive health services across more than 35 U.S. states, handling sensitive lab testing, billing, and personal data.

The organization published yesterday a notice of a security incident caused by a threat actor that breached its networks in October 2024 and stole data.

“On October 27, 2024, LSC identified suspicious activity within its network,” reads the notice.

“In response, LSC immediately engaged third-party cybersecurity specialists to determine the nature and scope of the incident and notified federal law enforcement.”

“The investigation revealed that an unauthorized third party gained access to portions of LSC’s network and accessed/removed certain files belonging to LSC.”

The information exposed for each individual varies and may include one or more of the following data types:

• Personal identifiers: Full name, SSN, driver’s license or passport number, date of birth, and government-issued IDs.
• Medical info: Dates of service, diagnoses, treatments, lab results, provider, and facility details.
• Insurance info: Plan type, insurer, and member/group ID numbers.
• Billing and financial data: Claims, billing details, bank and payment card info.

According to a filing submitted to the Maine’s AG Office, the data breach impacts 1,600,000 people.

The breach mainly affects individuals who had lab tests done through select Planned Parenthood centers that use the LSC for their testing. More information about the impacted centers is available on this FAQ page and by calling LSC.

While the organization can confirm which centers were impacted, validating impact on the level of individuals is not provided due to privacy reasons.

LSC says the investigation into the security incident is ongoing and external cybersecurity experts also monitor the dark web for data leaks relating to the breach. As of yet, no such exposure has occurred on dark web markets, forums, or extortion portals.

Potentially affected individuals are encouraged to use the free credit monitoring and medical identity protection services covered by LSC for 12 or 24 months, depending on their state. The deadline to enroll is July 14, 2025.

For underage individuals with no SSN or credit, a separate monitoring and protection service will be offered, called ‘Minor Defense.’

Although Planned Parenthood was not directly responsible for the data exposure this time, customers of the healthcare organization had their data exposed for a second time in 2024, following a RansomHub ransomware attack in August 2024.