Data breach at Laboratory Services Cooperative exposes sensitive information of 1.6 million individuals

Laboratory Services Cooperative (LSC), a nonprofit organization based in Seattle, has confirmed a significant data breach that has compromised the personal and medical information of approximately 1.6 million individuals. The announcement, made in a public notice released yesterday, outlines a cyberattack that occurred in October 2024 and targeted LSC’s internal systems.

LSC provides centralized laboratory services, including lab testing, billing, and data processing, to affiliated organizations across more than 35 states. Among its member affiliates are select Planned Parenthood centers, which rely on LSC for handling sensitive reproductive health-related laboratory services.

According to the official notice, LSC first detected suspicious activity within its network on October 27, 2024. The organization promptly enlisted third-party cybersecurity experts to investigate the incident and notified federal law enforcement authorities. The subsequent forensic analysis confirmed that an unauthorized actor gained access to certain segments of LSC’s network and exfiltrated files containing personal data.

The types of data exposed in the breach vary by individual but may include names, Social Security numbers, driver’s license or passport numbers, dates of birth, and other government-issued identification. Additionally, compromised records may involve medical details such as lab results, diagnoses, treatment information, service dates, and provider details. Insurance-related data and billing records, including payment card and bank information, were also among the affected categories.

In a filing with the Office of the Attorney General in Maine, LSC disclosed that the breach impacted 1,600,000 individuals. The majority of those affected had laboratory services performed through specific Planned Parenthood centers that contract with LSC. Although the organization can identify the centers involved, it stated that, due to privacy considerations, it cannot disclose impact at the individual level.

LSC’s security team, along with external cybersecurity experts, continues to monitor for any signs that the stolen information may have surfaced on dark web marketplaces or extortion sites. To date, no such data has been found circulating in those channels.

In response to the breach, LSC is offering free credit monitoring and medical identity protection services to affected individuals. These services will be available for either 12 or 24 months, depending on the individual’s state of residence. For minors whose data was exposed but who do not have credit histories or Social Security numbers, a dedicated service called "Minor Defense" will be provided. Enrollment for these protections is open until July 14, 2025.