[BreachExchange] Dr Lal PathLabs, one of India’s largest blood test labs, exposed patient data

[Inga Goddijn]

https://techcrunch.com/2020/10/08/dr-lal-pathlabs-exposed-patient-lab-data/

Dr Lal PathLabs, one of the largest lab testing companies in India, left a
huge cache of patient data on a public server for months, TechCrunch has
learned.

The lab testing giant, headquartered in New Delhi, serves some 70,000
patients a day
<https://cio.economictimes.indiatimes.com/news/strategy-and-management/dr-lal-pathlabs-streamlines-critical-processes-by-going-digital/71411814>,
and quickly became a major player in testing patients for COVID-19 after
winning approval from the Indian government.

But the company was storing hundreds of large spreadsheets packed with
sensitive patient data in a storage bucket, hosted on Amazon Web Services
<https://crunchbase.com/organization/amazon-web-services> (AWS), without a
password, allowing anyone to access the data inside.

Australia-based security expert Sami Toivonen found the exposed data and
reported it to Dr Lal PathLabs in September. The company quickly shut down
access to the bucket but the company did not reply, Toivonen told
TechCrunch.

It’s not known how long the bucket was exposed.

Toivonen said the exposed data amounted to millions of individual patient
bookings.

The spreadsheets appear to contain daily records of patient lab tests. Each
spreadsheet contained a patient’s name, address, gender, date of birth and
cell number, as well as details of the test that the patient is taking,
which could indicate or infer a medical diagnosis or a health condition.

Some booking records contained additional remarks about the patient, such
as if they had tested positive for COVID-19.

Toivonen provided TechCrunch with a sample of the files from the exposed
server for verification. We reached out to several patients to confirm
their details found in the spreadsheet.

“Once I discovered this I was blown away that another publicly listed
organization had failed to secure their data, but I do believe that
security is a team sport and everyone’s responsibility,” Toivonen told
TechCrunch. “I’m glad that they secured it within a few hours after I
contacted them because this kind of exposure with millions of patient
records could be misused in so many ways by the malicious actors.”

“I was also a little surprised that they didn’t respond to my responsible
disclosure,” he said.

A spokesperson for Dr Lal PathLabs said it was “investigating” the security
lapse but did not answer our questions, including if the company plans to
inform its patients of the exposure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201009/0ebc8aa7/attachment.html>