With COVID-19 now infecting over 7 million Indians, the country has rapidly scaled its testing capacity. India is now conducting well over a million tests every day, and is only behind the US in total number of tests conducted so far. However, with that rapid scale up, comes pressure on private diagonostic chains to keep up with demand and that has resulted in glaring loopholes from one of India’s biggest testing chains, Dr. Lal Pathlabs.
In a discovery made by Australia-based security expert Sami Toivonen, Lal Pathlabs was apparently storing patients’ critical data in a plain spreadsheet, lying around in a publicly accessible AWS bucket. Toivonen contacted Dr. Lal Pathlabs right away in September. To this, the blood-testing company responded quickly and terminated the access to the exposed patient data.
In an exclusive conversation with The Tech Portal, Toivonen tells us, that the estimate of total patient records is in millions and some of the oldest records dated back to early 2019. The publicly exposed S3 bucket included contained over 9,000 files that included booking details including full names, gender, full addresses, phone numbers, email addresses, patient UID’s, digital signatures, limited payment details, doctor details/codes, and details/pictures of where/when/what laboratory tests were taken.
Toivonen said, “No credit card details or passwords were exposed. The team at Dr Lal Pathlabs secured the data only a couple hours after I responsibly disclosed it to them.”
While the data is now secured, it is plain sight embarrassing for a publicly listed company of the size of Lal Pathlabs, to have openly put out patients data. Toivonen says that it is unclear for how long it was exposed or if any malicious actors have accessed the data while it was exposed.
Medical data is in high value when sold in DarkWeb and generally speaking this kind of data can be misused in so many ways in scams, frauds and phishing. Their customers should be on the lookout for emails, text messages, and phone calls from fraudsters posing as Dr Lal Pathlabs or a related company.
Scammers can use the database’s personal information to make the message seem more convincing like mentions about specific test results etc.
In a world that runs partially on data, it is extremely critical that the access to it is limited to the owner of the data. But various companies of late have not been able to carry this essential responsibility on their shoulders, with tons of data leaks happening every now and then.
In the case of Dr. Lal Pathlabs, millions of patients’ data were exposed to the real world, where anyone with an internet connection could have accessed it. During the pandemic, the company became a leading player in conducting COVID-19 tests in India, with over 70,000 patients every day flocking to its 2500 collection centers for tests. The company has 250 labs across the country. Given these huge numbers, it is crucial that the company safeguards its patients’ data along with saving their lives.