One of India’s largest diagnostic centers, Dr Lal PathLabs, reportedly exposed thousands of patient information via an exposed and unprotected Amazon Web Services (AWS) server. According to Tech Crunch, the server has been made available for months.
Dr Lal Pathlabs is a New Delhi-based testing center that caters to approximately 70,000 patients per day. As a lab testing giant, the medical facility became a key player in providing lab tests for COVID-19 patients.
Australian security researcher Sami Toivonen discovered the unprotected AWS server and immediately reached out to Dr Lal PathLabs to report the incident. However, while the testing giant shut down the exposed storage bucket in question, Tech Crunch states that the company did not reply or issue a statement.
Based on Toivonen’s finding, the diagnostic center was storing spreadsheets filled with confidential information in the Amazon Web Services storage bucket without a password. This meant that the data was made available to the public. The storage bucket’s length of public exposure is still unknown.
Among the information left vulnerable by the AWS server are names, home addresses, phone numbers, gender, as well as the type of test being requested by the patient. The type of test supposedly indicates or infers the kind of medical condition or diagnosis a patient has.
Apart from the aforementioned information, Mint reports that publicly exposed S3 bucket also contained the patient UIDs (unique identification numbers), digital signatures, as well as limited payment information.
Moreover, other confidential information, such as doctor details and codes, as well as the details and photos of laboratory tests, were also included in the server.
Mint also shared that records also bore remarks about the patient and their health condition, such as those who may have tested for the COVID-19 virus.
Although there is no certain number determined, Toivonen maintains that the data exposed affected million of individual patient bookings. In a statement, the security researcher reveals that “the estimate of total patients is in millions and some of the older records dated back to early 2019.
Upon reaching out to Dr Lal PathLabs, the testing giant maintained that it is still in the process of investigating the incident, said Tech Crunch. There are still no details surrounding the company’s intention to notify the public about the data leak.
However, in a statement to Mint, a company spokesperson revealed that the records possibly compromised only “involved less than 0.5% of our records.” The spokesperson also said that it had also communicated the incident to relevant authorities.
