One of India’s biggest blood test lab chains, Dr Lal PathLabs, left millions of its patients’ data unprotected, allowing anyone with an internet connection to access the data.
According to Tech Crunch, the company had spreadsheets, filled with sensitive patient data in a storage bucket, hosted on Amazon Web Services (AWS) without a password.
All the spreadsheets had patients’ names, addresses, mobile numbers, and DOBs. One column also had details of the tests the patients were taking, which could easily indicate their medical condition. Some fields even described if the patient has been tested positive for COVID-19 or not.
Sami Toivonen, a security expert from Australia, who came across the unsecured data reported it to Lal PathLabs in September. There is no telling for how long the data was exposed.
After being warned by Sami, the company was quick to shut down access to exposed data. However, PathLabs refrained from speaking to the security expert.
“I’m glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors.” Sami told Tech Crunch.
After receiving a sample of the leaked files, TechCrunch was able to check the authenticity of the data by contacting a few of the patients listed in the exposed spreadsheets. A Lal PathLabs spokesperson told Tech Crunch that it was investigating the issue, however, it didn’t respond to any other questions.