Millions of People in India Might Have Suffered a Breach of Their Medical Data
According to a news report published by TechCrunch, Dr. Lal PathLabs, a Delhi-based healthcare provider and medical testing laboratory, left a gaping hole in its database for months. A publicly accessible database was up for months on end, without any sort of protection.
The lab is one of the biggest of its kind in all of India, with an estimated 70 thousand patients being served on a daily basis. Of course, this means it is also one of the biggest testing centers for Covid-19 in the country.
It turned out Dr. Lal PathLabs were keeping a large number of massive spreadsheets full of personal patient data on an Amazon Web Services storage bucket, but there was no protection in place and no password, which effectively means anyone could access all the records.
The leaky database was discovered by security researcher Sami Toivonen who reported the issue to the laboratory as early as September 2020. According to Toivonen's interview with TechCrunch, access to the leaky storage was cut off, but the researcher received no reply from the laboratory.
According to Toivonen, the data contained in the exposed spreadsheets contained millions of individual patient records, including daily test results. Information contained in the databases consisted of patient names, dates of birth, home addresses, mobile numbers and different tests performed, which is a tangential source of information for the person's health condition. Some of the additional details on certain patients also stated whether or not they are Covid-19 positive.
Researchers Surprised by Lax Database Security
Toivonen said he was "blown away" by the discovery and the fact that an organization so large and dealing with personal information that is so sensitive had left a huge amount of patient personal data virtually completely unprotected.
When TechCrunch contacted the laboratory, they received a formal response that an investigation is underway, but the lab representative never answered any other questions and did not mention whether or not the Indian health provider intends to disclose information about the database exposure to its patients.