Dr Lal PathLabs, one of India's largest diagnostic centres, stored the personal details of tens of thousands of patients in a public AWS server without protecting the server with a password, thereby enabling anyone to access sensitive patient data.
The unprotected AWS server owned by Dr Lal PathLabs was discovered by Australian security researcher Sami Toivonen who found hundreds of large spreadsheets in the server. The spreadsheets contained details of millions of individual patient bookings along with the personal details of each patient.
Patient records uploaded to the spreadsheets by the diagnostic firm included patients' names, addresses, dates of birth, gender, phone numbers, as well as the tests they were taking. Some bookings also included whether a patient had tested positive for COVID-19.
While Toivonen did not state exactly how many data records were found in the spreadsheets, Dr Lal PathLabs services millions of people across India through over 1,700 lab patient service centers and over 190 clinical and medical laboratories. The firm offers a wide range of 4500 clinical and medical tests and panels and has a presence in every major Indian city.
In New Delhi, Dr Lal PathLabs is presently running three government-approved private labs that perform real-time RT-PCR Covid-19 tests. These laboratories together have a capacity of testing 4,000 samples a day and have been conducting tests regularly since April.
“Once I discovered this I was blown away that another publicly-listed organisation had failed to secure their data, but I do believe that security is a team sport and everyone’s responsibility,” Toivonen told TechCrunch. “I’m glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors. I was also a little surprised that they didn’t respond to my responsible disclosure.”
Dr Lal PathLabs must offer Identity theft and fraud prevention services to affected patients
Commenting on the massive breach of public health records by the diagnostic firm, Niamh Muldoon, Senior Director of Trust and Security at OneLogin, said that to collect such sensitive data without having the basic security controls in place breaches PII regulatory and Healthcare compliance requirements, never mind industry best practices.
"Dr Lal PathLabs were fortunate to have received a warning from a benevolent security expert but we do not know how long the information has been exposed and what other actors may have gained access. The company has a responsibility to swiftly reach out to patients and inform them of these circumstances, including providing full details of their data exposed as well as offer guidance on the next steps. Best practice for a breach like this would include offering Identity theft and fraud prevention services to those impacted individuals," he added.
According to Sergio Lourerio, cloud security director at Outpost24, this is another case of sensitive data on AWS buckets being left wide open on the internet, with little to no security - companies using AWS for analytics or big data projects and making careless mistakes in the misconfiguration.
"To prevent this scenario companies must ensure they have the security process and controls in place to assess and be alerted of potential misconfigurations on a continuous basis," he added.