The company was for months storing hundreds of large spreadsheets containing sensitive patient data in a storage bucket on Amazon Web Services without a password
The data exposure was first reported by technology news website TechCrunch
NEW DELHI: Diagnostic chain Dr Lal PathLabs left a huge tranche of data of its patients, including those that tested themselves for Covid-19, exposed on a public server for about a year until it was found by Melbourne-based security expert Sami Toivonen.
“The estimate of total patient records is in millions and some of the oldest records dated back to early 2019. The publicly exposed S3 bucket contained over 9,000 files that included booking details including full names, gender, full addresses, phone numbers, email addresses, patient UID's (unique identification numbers), digital signatures, limited payment details, doctor details and codes, and details and pictures of where, when, and what laboratory tests were taken," Toivonen told Mint.
Some of the records also contained additional remarks about the patient, such as if they had tested positive for Covid-19.
The data exposure was first reported by technology news website TechCrunch.
The company, which is India’s largest diagnostic chain, was for months storing hundreds of large spreadsheets containing sensitive patient data in a storage bucket on Amazon Web Services without a password, which allowed anyone to access the data inside.
Toivonen disclosed the data exposure to Dr Lal PathLabs last month, and a couple of hours later, the diagnostic chain quickly shut down access to the bucket, he said.
“It’s unclear for how long it was exposed or if any malicious actors have accessed the data while it was exposed," Toivonen said.
In a statement to Mint, Dr Lal PathLabs confirmed that there was an exposure of some of its data records.
“We received an email from a cyber-security researcher about a misconfiguration in one of our minor web applications where some temporary records were stored for operational purposes. This involved less than 0.5% of our records and was immediately fixed. Relevant authorities have also been kept informed," the Dr Lal PathLabs spokesperson said, adding that the company is committed to information security assurance.
Medical data is in high value when sold in DarkWeb and, generally, this kind of data can be misused in many ways in scams, frauds and phishing, Toivonen said.
“Their customers should be on the lookout for emails, text messages, and phone calls from fraudsters posing as Dr Lal Pathlabs or a related company. Scammers can use the database’s personal information to make the message seem more convincing like mentions about specific test results etc," he added.
Dr Lal PathLabs conducted tests of almost 8 million samples from around 3.5 million patients in April-June. This, however, was lower than usual as testing volumes during the quarter were severely impacted by the lockdowns. The company, however, had conducted almost 200,000 covid-19 tests till June, chief financial officer Ved Prakash Goel had said in the company’s conference call on 31 July.
In the preceding quarter ended March, the company had tested over 11 million samples from about 4.4 patients, according to the company’s investor presentations.