Data exposed at Dr Lal PathLabs

Dr Lal PathLabs left private medical records of millions of customers, including those who tested for covid-19, for about a year on an unsecured cloud server until the country’s largest diagnostic chain was notified about the exposure by cybersecurity expert Sami Toivonen.

“The estimate of total patient records is in millions and some of the oldest records dated back to early 2019. The publicly exposed S3 bucket contained over 9,000 files that included booking details, names, gender, addresses, phone numbers, email addresses, patient UIDs (unique identification numbers), digital signatures, limited payment details, doctor details and codes, and details and pictures of where, when, and what laboratory tests were taken,” Melbourne-based Toivonen said in an interview.

The company stored the spreadsheets containing sensitive patient data in a storage bucket on Amazon Web Services without a password, allowing anyone to access the data.

The data exposure, first reported by tech news website TechCrunch, highlights the poor security practices followed by firms that store sensitive information on cloud servers. These practices have given easy access to hackers scouring the Internet for personal data.

Toivonen said he last month notified the data exposure to Dr Lal PathLabs, which shut access within a couple of hours. “It’s unclear for how long it was exposed or if any malicious actors have accessed the data,” Toivonen said.

In a note, Dr Lal PathLabs confirmed there was an exposure of some of its data records.

“We received an email from a cybersecurity researcher about a misconfiguration in one of our minor web applications where some temporary records were stored for operational purposes. This involved less than 0.5% of our records and was immediately fixed. Relevant authorities have also been kept informed,” a Dr Lal PathLabs spokesperson said, adding the company is committed to information security.

Medical data is highly valued in the dark web, and generally, this kind of data can be misused in many ways in scams, frauds and phishing, Toivonen said.

“Their customers should be on the lookout for emails, text messages, and phone calls from fraudsters posing as Dr Lal Pathlabs or a related company. Scammers can use the database’s information to make the message seem more convincing,” he added. – Livemint