The company was for months storing hundreds of large spreadsheets containing sensitive patient data in a storage bucket on Amazon Web Services without a password.The data exposure was first reported by technology news website TechCrunch
NEW DELHI: Diagnostic chain Dr Lal PathLabs left a huge tranche of data of its patients, including those that tested themselves for Covid-19, exposed on a public server for about a year until it was found by Melbourne-based security expert Sami Toivonen.
“The estimate of total patient records is in millions and some of the oldest records dated back to early 2019. The publicly exposed S3 bucket contained over 9,000 files that included booking details including full names, gender, full addresses, phone numbers, email addresses, patient UID’s (unique identification numbers), digital signatures, limited payment details, doctor details and codes, and details and pictures of where, when, and what laboratory tests were taken,” Toivonen told Mint.
Some of the records also contained additional remarks about the patient, such as if they had tested positive for Covid-19.
The data exposure was first reported by technology news website TechCrunch.
The company, which is India’s largest diagnostic chain, was for months storing hundreds of large spreadsheets containing sensitive patient data in a storage bucket on Amazon Web Services without a password, which allowed anyone to access the data inside.
Toivonen disclosed the data exposure to Dr Lal PathLabs last month, and a couple of hours later, the diagnostic chain quickly shut down access to the bucket, he said.
“It’s unclear for how long it was exposed or if any malicious actors have accessed the data while it was exposed,” Toivonen said.
In a statement to Mint, Dr Lal PathLabs confirmed that there was an…
Leroy Leo, Abhijit Ahaskar
Read full article