One of the biggest diagnostics chains in India, Dr. Lal PathLabs left a huge tranche of data of its patients, including the COVID test results of people exposed on a public server. The data stayed there for around a year before being reported by Melbourne-based security expert Sami Toivonen. As per them, the records of patients are in millions and some of them date back to even early 2019.
As per their official statement, “The publicly exposed S3 bucket contained over 9,000 files that included booking details including full names, gender, full addresses, phone numbers, email addresses, patient UID’s (unique identification numbers), digital signatures, limited payment details, doctor details and codes, and details and pictures of where, when, and what laboratory tests were taken“.
TechCrunch was the first to report about the data exposure. The diagnostic chain was storing the data on spreadsheets and saving it on the Amazon Web services without any password. Due to which the data became accessible to almost everyone. The data exposure was reported last month and since then it has been shut down. The data exposure has also been confirmed by Dr. Lal PathLabs and there is no confirmation on how it was exposed. As per them, they received an email from a cyber-security researcher about a misconfiguration in one of our minor web applications.
It was the web application where the data was stored temporarily. As per the diagnostic chain, the data affected is less than 0.5% of their records. It has been informed that any person who has used the services of the diagnostic chain in the last year or two, should be on the lookout for fraud email, messages, and phones from fraudsters posing as the diagnostic chain.