The medical-testing giant Laboratory Corp. of America LH 0.58% is dealing with a broad cyberattack, people familiar with the matter said, the latest breach to disrupt companies that hold sensitive information.
The company, known as LabCorp, has said it was investigating suspicious activity but hasn’t previously disclosed publicly the nature or extent of the “ransomware” attack. It hit one of the company’s genetic-testing units over the weekend, and the impact spread in the ensuing days, the people said.
With ransomware, attackers lock up files and other data, demanding payment to release them. Such attacks have been blamed for widespread system freezes at public schools, transit systems and companies around the world.
Attacks on the health-care industry, with its lifesaving services and sensitive data, can be particularly unnerving. Ransomware disabled some hospitals in the United Kingdom last year, forcing the National Health Service to divert ambulances and cancel appointments.
LabCorp processes millions of blood, urine and other diagnostic tests each week. It is one of the world’s largest domestic commercial lab-testing companies and maintains a database containing health information on roughly half the U.S. population.
There is no indication any data was breached, a spokeswoman said.
Related
LabCorp has provided few details of the attack. It said in a securities filing Monday it had detected “suspicious activity” confined to its diagnostics network, and that its closely followed drug-development arm Covance hadn’t been affected.
The company believes it was hit with a strain of the ransomware known as SamSam, people familiar with the matter said. Earlier this year, the Hartsfield-Jackson Atlanta International Airport—the world’s busiest by passenger traffic—was hit by an attack involving SamSam.
The attack has affected tens of thousands of LabCorp workstations, servers and devices, and the disruption spread to Covance, the people said. The ransomware paralyzed only a minority of that technology before it was halted, one of them said.
The LabCorp spokeswoman said the impact on Covance specifically resulted from security enhancements deployed companywide, not ransomware. She said the company is investigating the breach along with outside security experts and law enforcement.
The Burlington, N.C., company earlier said it had taken some portions of its network offline, which would temporarily slow test processing and customer access to test results.
Hackers demanded $6,000 in bitcoin for each machine or $52,500 to unlock all encrypted devices, according to the alert from the National Health Information Sharing and Analysis Center, which coordinates health-industry responses to cyberattacks.
One of the people familiar with the matter said it has no intention of meeting any ransomware demands. LabCorp plans to replace affected devices, the person said.
The spokeswoman declined to comment on any ransom.
In a note to employees Wednesday and reviewed by The Wall Street Journal, LabCorp identified the suspicious activity as ransomware. The company told employees it wasn’t proactively notifying customers, but rather was “working to respond to specific customer inquiries.”
“We believe that our efforts to quickly contain the ransomware and restore key system functions will limit potential impacts for customers,” LabCorp told employees.
The initial breach was detected at a recently acquired genetic-testing business in LabCorp’s specialty diagnostics division, one of the people familiar with the matter said. The business’s technology wasn’t yet fully integrated with that of LabCorp, a common occurrence after acquisitions and one that slowed LabCorp’s ability to diagnose the problem, the person said.
The company meanwhile notified employees of suspicious activity on its network and urged them to stay off company devices, one of the people said.
Later, LabCorp sent an all-clear message with instructions how to go back online. Some employees returned to work Monday only to see their computers forcibly shut down midmorning, the person said.
In the note to employees Wednesday, LabCorp included a prewritten question-and-answer section. One question read: “How certain are we that no data was lost or compromised as a result of this ransomware incident, including patient data?”
The answer didn’t provide a degree of certainty. It read: “At this time, there is no evidence of theft or misuse of data.”
—Peter Loftus contributed to this article
Write to Rob Copeland at rob.copeland@wsj.com and Melanie Evans at Melanie.Evans@wsj.com