According to theinformationsuperhighway, Dr. Lal PathLabs, one of the largest laboratory testing companies in India, left a huge cache of patient data on a public server for months.
Headquartered in New Delhi, the lab test giant serves around 70,000 patients daily and quickly became a major player in testing patients for COVID-19 after approval by the Indian government.
However, the company stored hundreds of large tables of sensitive patient data in a storage basket hosted on Amazon Web Services (AWS) with no password, so anyone could access the data.
Australian-based security expert Sami Toivonen found the exposed data and reported it to Dr. Lal PathLabs. The company quickly blocked access to the bucket, but the company hasn't responded, Toivonen told theinformationsuperhighway.
It is not known how long the bucket was exposed.
According to Toivonen, the exposed data amounted to millions of individual patient bookings.
The spreadsheets appear to contain daily records of patient laboratory tests. Each table contained a patient's name, address, gender, date of birth, and cell number, as well as details of the test the patient is taking that might indicate or infer a medical diagnosis or health condition.
Some accounting records contained additional comments about the patient, e.g. B. whether they have tested positive for COVID-19.
Toivonen provided theinformationsuperhighway with a sample of the files from the exposed server for review. We reached out to several patients to confirm what they said in the table.
"When I discovered this, I was overwhelmed that another publicly traded organization hadn't backed up their data, but I believe security is a team sport and everyone is responsible for it," Toivonen told theinformationsuperhighway. "I'm glad they backed it up within hours of contacting me as this type of exposure to millions of medical records could be abused in so many ways by the malicious actors."
"I was also a little surprised that they didn't respond to my responsible disclosure," he said.
A spokesman for Dr. Lal PathLabs said it "investigated" the vulnerability but did not answer our questions even though the company plans to inform its patients about the exposure.