[BreachExchange] Health Website Leaks 8 Million COVID-19 Test Results

[Destry Winant]

https://threatpost.com/health-website-leaks-covid-19-test/164274/

A teenaged ethical hacker discovered a flawed endpoint associated with
a health-department website in the state of Bengal, which exposed
personally identifiable information related to test results.

Yet another human-related error — this time a flaw in a health
department website in the state of Bengal, India — has exposed the
confidential results of COVID-19 tests as well as personally
identifying information (PII) for an entire geographic region’s
population.

Test results related to more than 8 million people potentially were
exposed before the agency fixed the error, according to a security
researcher.

Sourajeet Majumder, a teenaged ethical hacker in India, noticed a flaw
in the structure of a URL in a text informing someone of their test
result from Bengal health authorities. It included a pathway for
finding other people’s test results, according to a report in
BleepingComputer. The error was eventually traced back to a faulty
endpoint at the Health and Family Welfare Department of the state of
West Bengal, according to the report.

Specifically, the structure of a URL in the text of the message just
before providing the test result comprised a base64-encoded report ID
number, which a threat actor could decode to construct new sets of
URLs that would enable access to other test results, Majumder told the
publication. In the case of the example shown in the report, the text
“The Covid-19 Test Result of [Name]” was followed by the text “SRF ID
193” before showing the result as “negative.”

Majumder did some investigating and realized that the base64 encoding
applied to the numeric identifier was optional, so removing it did not
impact the ability to retrieve reports. He said that by enumerating
URLs, an attacker could retrieve millions of confidential COVID-19
test results, according to the report.

Each medical record contained information pertaining to the patient’s
name, age, gender, partial home address, COVID-19 test result, date of
the test, report identifier and even identifying details for the lab
where the test was conducted, Majumder said.

“I have found an issue in an Indian government site which is resulting
in the leakage of test reports of EVERYONE who took a COVID-19 test in
a particular state,” he told the outlet. “These reports have sensitive
information about the citizens in them, like name, age, date and time
of sample testing, residence address, etc.”

A potential hack leading to the ability to view the information would
have looked something like this, according to the report:

https://cpms.wbhealth.gov[.]in:8003/Covid19.aspx?SRFID=1931XXXXXX1
https://cpms.wbhealth.gov[.]in:8003/Covid19.aspx?SRFID=1931XXXXXX2
https://cpms.wbhealth.gov[.]in:8003/Covid19.aspx?SRFID=1931XXXXXX3

The researcher said he tried to contact the health department about
the leak but did not reach them. Majumder also disclosed his finding
to a regional newspaper in India, which published a report on Tuesday
in which a North Bengal health, Dr. Sushant Roy, acknowledged the flaw
and said it would be fixed immediately.

It has since been remediated and it’s no longer possible to access
reports using the enumeration method, according to BleepingComputer.

COVID-19 Data-Leak Accidents Abound

Though there was no intention in this case to leak relevant COVID-19
data, it’s not the first inadvertent potential exposure of test
results or other related sensitive information since the pandemic
began.

In September, the Wales arm of the U.K.’s NHS admitted that it
accidentally uploaded PII for Welsh residents who tested positive for
COVID-19 to a public server that anyone could search, exposing the
information of more than 16,000 people. The leak, which was fixed 24
hours later, was blamed on “individual human error.”

In November, a COVID-19 data-sharing platform used by healthcare
workers in the Philippines was found to be exposing healthcare worker
data and potentially could have leaked patient data due to multiple
system flaws.

Not all the COVID-19-related breaches have been accidental, either, as
threat actors have willfully sought ways to get their hands on
sensitive pandemic-related data with targeted attacks. In December for
example, threat actors broke into the server of the European Medicines
Agency and accessed documentation about the vaccine from Pfizer and
BioNTech — data that was later leaked online.