Florida Medical Lab Data Breach Exposes 300,000 Individuals’ Sensitive Information

 

Florida-based medical laboratory, American Clinical Solutions (ACS), recently experienced a significant data breach that exposed the sensitive information of approximately 300,000 individuals. The hacking incident, attributed to the criminal group RansomHub, resulted in the theft of 700 gigabytes of data, which has since been published on the dark web. The exposed data includes Social Security numbers, addresses, drug test results, medical records, insurance information, and other highly sensitive personal details. 

ACS specializes in patient testing for both prescription and illicit narcotics, offering its services to healthcare providers. On July 24, ACS reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights. The stolen data encompasses lab testing results from January 2016 until May 2024, the period during which the hacking incident allegedly occurred. Privacy attorney David Holtzman, from the consulting firm HITprivacy LLC, expressed concerns over the nature of the exposed information, highlighting the potential for reputational harm, financial compromise, and extortion due to the sensitivity of drug testing data. 

Despite the severity of the breach, ACS has not yet issued a public statement about the incident on its website, nor has it responded to requests for further details. This lack of communication has raised concerns among legal and regulatory experts, who warn that failing to alert patients about the breach may compound the potential harm. Holtzman emphasized the importance of transparency in such situations, suggesting that the absence of a breach notification may prompt investigations by HHS or state attorneys general to determine whether ACS has complied with the Health Insurance Portability and Accountability Act (HIPAA) and other relevant state laws. 

The delay in notifying affected individuals may stem from various factors, including the possibility that law enforcement advised ACS to wait or that the total number of impacted individuals has not yet been determined. Regulatory attorney Rachel Rose pointed out that drug testing data, while not subject to the stringent federal 42 CFR Part 2 privacy regulations that govern substance disorder treatment facilities, is still considered highly sensitive. Rose compared the compromised information to reproductive health records, mental health records, and data related to diseases like AIDS. 

RansomHub, the group behind the attack, has rapidly gained notoriety within the cybersecurity community since its emergence in February. The gang has claimed responsibility for several major hacks across the healthcare sector, including a June attack on the drugstore chain Rite Aid, which compromised the data of 2.2 million individuals. Security firm Rapid7 recently identified RansomHub as one of the most notable new ransomware groups, underscoring the growing threat it poses to organizations worldwide.