Keeping Labcorp Secure

Safeguarding and protecting information remains one of the most important tasks for Labcorp, as we process and deliver results for hundreds of thousands of tests each day, generate and provide clients with vast amounts of clinical trial data, and process claims and payment data from payers, patients, customers and vendors.

As the risks of cyber threats and the need for heightened cybersecurity have become more significant, we have evolved our processes and systems to enable us to operate securely and reduce the risk of disruptions to our services.

In 2020, COVID-19 transformed Labcorp’s work environment. A large segment of our workforce shifted—almost overnight—to work remotely. In response, we broadened and enhanced our cybersecurity efforts to mitigate COVID-19-related and other opportunistic attacks.

In 2021, we continued improving our risk-based decision-making model to better support business outcomes, enhanced our crisis management activities and protected critical infrastructure. We also expanded programs to assess and address the security and data privacy risks of our valued patients, suppliers, outsourced services providers and customers.

Data Privacy

Labcorp treats all personal information (including but not limited to that of patients, study participants and employees) with the strictest confidentiality in accordance with contractual commitments, ethical standards and all applicable laws in the jurisdictions in which we do business including, HIPAA and the European Union General Data Protection Regulation.

All personal information maintained by Labcorp is collected, processed, stored and transferred with adequate precautions to maintain confidentiality. Personal information is accessed only with specific authorization for an authorized and permissible purpose, and only the minimum amount of personal information necessary for that purpose may be accessed, used and/or disclosed. Any access, use, or disclosure not specifically authorized is strictly prohibited. To review our privacy policies, please visit here.

Information Security

Data protection and information security is led by the Office of Information Security (OIS). The OIS team is led by the Chief Information Risk Officer.

The team is organized into seven security disciplines:

 

  • Security Architecture and Engineering
  • Security Operations
  • Data Protection and Informatics
  • Identity and Access Management
  • Enterprise Business Resilience
  • Governance, Risk and Compliance
  • Behavior Management and Communications
The OIS is responsible for the protection of Labcorp’s electronic data and information, and the systems on which those are generated, transmitted and stored. The OIS monitors and protects our systems and networks from cybercriminals who seek to steal sensitive information. The team develops detailed cybersecurity breach protocols and crisis/risk management procedures. In addition, the OIS addresses the human element by delivering cybersecurity training and phishing simulations as part of a comprehensive, multi-modal, persistent behavior management and communications program.

Handling of Breaches

Cybersecurity threats have grown in sophistication and complexity during the COVID-19 pandemic. As we scaled our operations to accommodate for pandemic-related demands, we also scaled our cybersecurity efforts to further defend against potential risks.

We will continue to evolve our cybersecurity infrastructure and policies to focus on data protection, allowing us to reduce the time required to identify and mitigate potential threats.

Labcorp adheres to strict internal data incident management and notification procedures. As required by applicable law, we will:

  • Notify the competent supervisory authority of a data incident
  • Notify data subjects of a data incident involving their personal information
  • Assess the circumstances in which such notifications may not be required

We report breaches of personal health information as required by law to the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), and to state and local authorities as applicable.

The reports to OCR are publicly available and can be obtained through the OCR Portal.

Embedding Compliance: Employee Training

Labcorp’s ability to achieve and maintain consistent compliance is contingent on rigorous training and development for our employees. Providing our employees with routine training to remain compliant is a critical step for us to be trusted to help move healthcare forward with accuracy and integrity.

Annual compliance training, including Code of Conduct training and privacy training, is required for all employees as stipulated by our mandatory Compliance Training Policy. Targeted training on healthcare fraud and abuse topics, anti-corruption, insider trading and HIPAA are required of select employee populations.

Labcorp’s compliance training focuses on building employee awareness and understanding of compliance-related matters. In 2021, training highlights included:

1.3 million

hours of data privacy and information
security training completed

71%

increase from 2020 in completed cybersecurity, data privacy
and information security courses

90%

employee completion rate for Code of Conduct and ethics training

91%

employee completion rate for global privacy training