New Delhi: Dr Lal PathLabs exposed a large cache of public data on a public server for several months, TechCrunch reported.
PathLabs, one of the private labs doing COVID-19 tests, serves around 70,000 patients a day. They left hundreds of large spreadsheets packed with sensitive patient data in a storage bucket on Amazon Web Services (AWS) without any password, making the data easily available for anyone to misuse.
Australia-based security expert Sami Toivonen detected the glitch and reported it to Dr Lal PathLabs last month. The company immediately shut down access to the bucket but did not apparently respond to the security lapse.
The period for which the bucket was exposed remains unknown. Toivonen told TechCrunch that the exposed data amounted to millions of individual patient bookings.
The spreadsheets contained daily records of patients’ lab tests, with each spreadsheet displaying patient’s name, address, gender, date of birth and cell number, as well as details of the test(s), thus compromising the data on their health conditions.
Data of COVID-19 positive patients was also exposed.
“Once I discovered this, I was blown away that another publicly-listed organization had failed to secure their data, but I do believe that security is a team sport and everyone’s responsibility. I’m glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors,” Toivonen said.
A spokesperson of Dr Lal PathLabs said the international service provider is “investigating” the security lapse.