Dr Lal PathLabs, one of India's largest diagnostic chains, left data of millions of customers exposed in an unprotected cloud server. The company was alerted by cybersecurity expert Sami Toivonen after which it shut access to the data within a couple of hours.
However, the data was exposed for around a year before the cybersecurity expert spotted it. Melbourne-based Sami Toivonen said that the estimate of the number of patients whose data was exposed could run to millions. Some of the oldest files dated back to early 2019, it said. Information such as booking details, names, gender, addresses, phone numbers, email addresses, digital signatures, limited payment details, doctor details and details of the tests taken were all available in the publicly exposed S3 bucket. According to TechCrunch, some data even stated whether the patient was tested COVID-19 positive or not.
Dr Lal PathLabs had stored the data in a bucket hosted on Amazon Web Services without a password. This allowed anyone to access the data. Toivonen said that it is unclear for how long the data remained exposed and if any malicious actors accessed the data.
"Once I discovered this I was blown away that another publicly listed organisation had failed to secure their data, but I do believe that security is a team sport and everyone's responsibility," Toivonen said, as mentioned in the tech news site. The expert added that this kind of exposure to millions of patient records could be misused in "so many ways".
A Dr LalPathLabs spokesperson acknowledged that there was data exposure. The spokesperson said that temporary records were placed in the bucket for operational purposes, adding that it involved less than 0.5 per cent of their records. Once they were intimated about the exposure, they immediately fixed the issue, said the spokesperson. The company added that relevant authorities have also been informed about the issue.