Hackers Breach Nonprofit Lab Services Provider, Exposing Data of 1.6 Million Patients

A quiet but critical cog in America’s reproductive healthcare infrastructure has become the latest target in a string of high-profile healthcare data breaches.

Seattle-based Laboratory Services Cooperative (LSC), a nonprofit laboratory services provider working with reproductive health centers across 35 states—including select Planned Parenthood locations—has confirmed that hackers accessed its network in October 2024, stealing a trove of sensitive patient information.

The breach, revealed this week through a public notice and regulatory filings, impacted approximately 1.6 million individuals. The compromised data spans personally identifiable information such as Social Security numbers and passport IDs, alongside medical records, insurance policy details, and even banking information.

"Given the invaluable nature of the data they safeguard, healthcare entities are persistently targeted by malicious threat actors," said Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ. "This is just the latest development in the recent trend of medical organizations having highly sensitive information breached or put at risk."

LSC detected suspicious activity on October 27 and quickly brought in third-party cybersecurity experts to investigate and contain the intrusion. While the full scope of the breach is still under review, LSC has not seen evidence of the stolen data appearing on dark web marketplaces—at least not yet.

The breach is particularly alarming given LSC's specialized role in managing reproductive health lab testing and billing. Many affected individuals received services at Planned Parenthood centers already reeling from a separate ransomware attack just months earlier.

“This incident underscores a persistent weakness in the healthcare sector’s cybersecurity posture,” Costis emphasized. “Security teams should continuously test their systems against real-world tactics, techniques, and procedures (TTPs) used by threat actors. By emulating these attacks and assessing system responses, vulnerabilities can be identified and addressed promptly.”

LSC is offering 12 to 24 months of free credit and medical identity monitoring to affected individuals, including a "Minor Defense" program for underage patients. But the broader concern remains: as healthcare digitizes, its weakest links may prove devastating.