Data Breaches at Coronalab, Meridian Behavioral Healthcare and Concentra

Netherlands COVID-19 Testing Laboratory Database Exposed

A medical lab based in the Netherlands that was used as a COVID-19 testing center has left a database compromised online that included the sensitive information of about 1.3 million people including names, birth dates, appointment information, email addresses, COVID-19 screening data, and passport numbers.

Jeremiah Fowler, co-founder of Security Discovery and a vpnMentor security researcher, discovered the compromised database. The database didn’t call for any authentication to view the entire database and so anyone who got the link to the database could access it. The database contained approximately 1,285,277 records, which included 660,173 testing samples, 506,663 appointments, 118,441 certificates, and a few internal software files. The database likewise included many QR codes that open web pages with appointment information and email addresses.

The files have the name and logo of a currently inaccessible website,, which is owned by Coronalab. Coronalab is managed by the ISO-certified laboratory based in Amsterdam, Microbe & Lab, one of the leading industrial medical test companies in the Netherlands. Fowler tried to get in touch with Coronalab on a few instances to tell the company about the compromised database, however, there was no reply. The database was exposed on the internet for 3 weeks until Fowler called the cloud hosting business, Google, which made the database secure to stop unauthorized access. It is unknown how much time the database was exposed on the internet and the number of individuals that discovered it.

Because names, birth dates, testing data, and email addresses were contained in the database, cybercriminals can use the data for phishing attacks pretending to be Coronalab employees. As Fowler mentioned, phishing emails can be created using data only known to the persons involved and Coronalab, raising the possibility of a reply. Now that the pandemic is almost over, it is time for companies to check the large amounts of information they have kept and see whether these records are still required. If they are, companies need to make sure the information is safe against unauthorized access. The files must be anonymized or encrypted to stop unwanted data compromise or from malicious actors.

Meridian Behavioral Healthcare Security Breach

Meridian Behavioral Healthcare, Inc. based in Florida reported the exposure of PHI due to a security breach that was discovered on August 11, 2023. Third-party cybersecurity experts investigated the breach and confirmed on December 4, 2023 that 98,808 persons were impacted. The provider mailed written notifications on December 22, 2023. The data exposed in the breach differed from one person to another and might have contained names, Social Security numbers,
addresses, birth dates, medical diagnosis and treatment data, medical insurance data, and prescription details.

Meridian Behavioral Healthcare stated it did not receive any report of patient data misuse but has given the impacted person free credit monitoring services. Supplemental security measures were put in place inside its network, and data security guidelines and measures are under review and will be revised as needed to safeguard patient information better.

About 4 Million Concentra Patients Impacted by PJ&A Data Breach

Physical and occupational health provider, Concentra based in Texas, has confirmed it was impacted by a cyberattack that happened at its transcription company, PJ&A. PJ&A already submitted the breach report to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicating that about 9 million individuals were affected; nevertheless, many PJ&A clients, including Concentra, have decided to submit the breach report to OCR themselves.

On January 9, 2024, Concentra reported the compromise of the PHI of 3,998,162 individuals because of the PJ&A cyberattack. The total number of impacted persons was around 14 million, making this healthcare data breach the largest of 2023. That total will possibly increase further, though it is not clear by how much as PJ&A has not yet announced which clients were impacted nor how many records were exposed in the cyberattack.

The medical transcription firm based in Nevada and many impacted clients are facing lawsuits because of the data breach. About 40 lawsuits were filed against PJ&A for alleged negligence for not implementing reasonable and proper cybersecurity steps to protect the sensitive health information given by its clients. In a number of the lawsuits, the impacted healthcare providers are made co-defendants.

Concentra stated the data exposed includes complete names and at least one of these data elements: birth date, address, hospital account number, medical record number, date(s) and time(s) of service, and admission diagnosis. The Social Security numbers, including insurance details and clinical data from medical transcription files like lab and diagnostic testing data, prescription drugs, the name of the treatment center, and the name of healthcare companies were also compromised. No credit monitoring and identity theft protection services were offered. Concentra has cautioned the impacted persons to keep track of their accounts for indications of data misuse and to consider making a fraud notification on their credit records.

Hackers primarily target business associates of HIPAA-regulated entities because they generally keep big volumes of sensitive information, and it is obvious from current breach reports that hackers attack business associates. There are questions about the security measures implemented by PJ&A. How come this massive breach occurred allowing hackers to acquire access to a lot of data? Considering the increased threat of cyberattacks, PJ&A should have implemented network segmentation to make sure that in case of a breach of defenses, hackers can only access limited information.