Centers Laboratory Data Breach Exposes PHI of 540,000

Centers Laboratory Data Breach Affects 540,000, Exposing Health Information

HIGH
July 13, 2026
5m read
Data BreachRansomwareThreat Actor

Impact Scope

People Affected

542,377

Industries Affected

Healthcare

Geographic Impact

United States (national)

Related Entities

Threat Actors

WorldLeaks

Organizations

U.S. Department of Health and Human Services

Other

Centers LaboratoryNikeDell

Full Report

Executive Summary

Centers Laboratory (Centers Lab NJ LLC), a healthcare testing and diagnostics provider, has officially disclosed a data breach that has impacted 542,377 individuals. According to a filing with the U.S. Department of Health and Human Services, the incident was discovered in August 2025 and involved unauthorized access to the company's IT environment. The threat actors exfiltrated a significant amount of sensitive data, including Social Security numbers and protected health information (PHI). The WorldLeaks extortion group has claimed responsibility for the attack, adding Centers Lab to its data leak site and alleging the theft of 720 GB of data.


Threat Overview

The incident is a classic data breach and extortion scenario targeting the healthcare sector, which is a high-value target due to the sensitive nature of the data it holds.

  • Victim: Centers Laboratory, a New Jersey-based healthcare services provider.
  • Threat Actor: WorldLeaks, a cybercrime group that emerged in 2025.
  • Impact: 542,377 individuals affected.
  • Timeline:
    • August 9-14, 2025: Threat actors have access to the network and exfiltrate data.
    • August 2025: Centers Laboratory discovers the intrusion.
    • October 2025: WorldLeaks lists Centers Laboratory on its dark web leak site.
    • July 2026: Centers Laboratory formally reports the breach and begins notifying victims.

Technical Analysis

Details on the initial access vector have not been disclosed. However, the investigation revealed that threat actors had access to Centers Laboratory's systems for approximately five days. During this window, they were able to navigate the network and exfiltrate large quantities of data.

The compromised data includes a wide range of Personal Identifiable Information (PII) and Protected Health Information (PHI):

  • Names
  • Social Security numbers
  • Dates of birth
  • Driver's license numbers
  • Passport numbers
  • Health insurance information
  • Medical information (e.g., test results, diagnoses)

The WorldLeaks group's claim of stealing 720 GB across 1.6 million files suggests a large-scale, indiscriminate data grab from file servers or databases within the laboratory's network.

MITRE ATT&CK Mapping

Impact Assessment

The impact on the 542,377 affected individuals is severe and long-lasting. The combination of PII and PHI is a toxic cocktail that can be used for a variety of malicious purposes:

  • Medical Identity Theft: Criminals can use the stolen PHI to fraudulently obtain medical services, prescriptions, or file fake insurance claims in a victim's name.
  • Targeted Phishing and Fraud: The detailed personal and medical information can be used to create highly convincing and emotionally manipulative phishing campaigns.
  • Identity Theft and Financial Fraud: The presence of Social Security numbers, driver's license numbers, and passport numbers enables criminals to open new lines of credit, file fraudulent tax returns, and commit other forms of identity theft.
  • Extortion: Individuals could be blackmailed with the threat of releasing their sensitive medical information.

For Centers Laboratory, the impact includes significant costs for incident response, legal fees, regulatory fines under HIPAA, and long-term reputational damage.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

To detect similar data breaches, organizations should monitor for signs of large-scale data staging and exfiltration:

Type
file_name
Value
*.zip, *.rar, *.7z
Description
Attackers often compress large amounts of data into archive files on a staging server before exfiltration. Monitor for the creation of unusually large archives.
Context
File integrity monitoring, EDR
Type
network_traffic_pattern
Value
Large outbound data transfer
Description
A sustained, high-volume data transfer from an internal server to an external IP address, especially one in a non-standard geography, is a major red flag.
Context
Netflow analysis, DLP, Firewall logs
Type
process_name
Value
rclone.exe, megacmd.exe
Description
Attackers often use legitimate cloud sync tools to exfiltrate data. Monitor for the execution of these tools on servers.
Context
EDR, Process creation logs
Type
user_account_pattern
Value
Service account accessing unusual data
Description
A service account that normally only interacts with one database suddenly querying another is a sign of lateral movement.
Context
Database activity monitoring (DAM), UEBA

Detection & Response

  • Data Loss Prevention (DLP): Deploy network and endpoint DLP solutions to identify, alert on, and block the unauthorized movement of sensitive data matching PII and PHI patterns.
  • Network Traffic Analysis: Use network security monitoring tools to establish a baseline of normal traffic patterns and alert on anomalies, such as large outbound transfers or connections to known malicious IPs or cloud storage services not used by the organization. This is a core part of D3-NTA: Network Traffic Analysis.
  • User and Entity Behavior Analytics (UEBA): Monitor for anomalous access patterns, such as a single user account accessing an unusually large number of patient records in a short period.

Mitigation

  • Data Encryption: Encrypt sensitive data both at rest (in databases and on file servers) and in transit. This makes stolen data unusable to attackers without the decryption keys. This aligns with D3-FE: File Encryption and D3-DENCR: Disk Encryption.
  • Network Segmentation: Segment the network to isolate critical systems containing PHI. This can prevent an attacker who compromises a less secure part of the network from easily accessing sensitive data repositories.
  • Access Control: Enforce the principle of least privilege. User and service accounts should only have access to the specific data they need to perform their functions. Regular access reviews are critical.
  • Vulnerability Management: Maintain a robust vulnerability management program to patch systems and applications promptly, reducing the attack surface available to threat actors.

Timeline of Events

1
August 9, 2025
Threat actors gain access to Centers Laboratory's IT environment.
2
August 14, 2025
Threat actor access to the network ends.
3
August 31, 2025
Centers Laboratory discovers the security breach.
4
October 31, 2025
The WorldLeaks group lists Centers Laboratory on its dark web leak site.
5
July 13, 2026
The company formally reports the breach to regulators and begins notifying victims.
6
July 13, 2026
This article was published

MITRE ATT&CK Mitigations

Encrypt sensitive data at rest to ensure that even if exfiltrated, it remains unreadable without the decryption keys.

Isolate networks containing PHI/PII from less secure parts of the corporate network to limit the blast radius of a compromise.

Use DLP and network analysis tools to detect and block large-scale data exfiltration attempts in real-time.

Enforce the principle of least privilege to ensure user and service accounts cannot access data beyond their specific job function.

Timeline of Events

1
August 9, 2025

Threat actors gain access to Centers Laboratory's IT environment.

2
August 14, 2025

Threat actor access to the network ends.

3
August 31, 2025

Centers Laboratory discovers the security breach.

4
October 31, 2025

The WorldLeaks group lists Centers Laboratory on its dark web leak site.

5
July 13, 2026

The company formally reports the breach to regulators and begins notifying victims.

Sources & References

Centers Laboratory Data Breach Affects 540,000 Individuals
SecurityWeek (securityweek.com) July 13, 2026
Centers Laboratory data breach impacts over 540,000 people
Security Affairs (securityaffairs.com) July 13, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

Data BreachHealthcarePHIPIIWorldLeaksExtortionHIPAA

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.