Millions of patient’s data exposed by Dr Lal PathLabs

A new data leak has exposed the data of millions of patients, including their COVID-19 test results. One of India’s largest testing laboratories, Dr Lal PathLabs, failed to secure the personal data of millions of patients.

Dr Lal PathLabs was storing sensitive patient data on Amazon Web Services (AWS) without a password, making the data accessible to all. The data was stored on the unsecured cloud server for almost a year. The data included patients’ booking details such as their name, address, phone number, email id, payment details, digital signature, and also the type of medical tests they had taken. The leaked data reportedly revealed novel coronavirus test details too.

The data was available in the public domain and accessible to all until September, when the breach was highlighted by Australia-based cybersecurity expert Sami Toivonen.

After this, Dr Lal PathLabs “quickly shut down access to the bucket.”

Medical data is highly valued in the dark web, and generally, this kind of data can be misused in many ways in scams, frauds and phishing, Toivonen said.

“Their customers should be on the lookout for emails, text messages, and phone calls from fraudsters posing as Dr Lal Pathlabs or a related company. Scammers can use the database’s information to make the message seem more convincing," he added.

Speaking about the major data breach, Toivonen said: “Once I discovered this, I was blown away that another publicly listed organisation had failed to secure their data. I’m glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors.”

Recommendations:

  1. Restrict access to the bucket in order to prevent unauthorized access to the data.
  2. Use S3 Server-Side Encryption (SSE) and enable Amazon the ability to encrypt the data at the object level as it writes it to disks and decrypts it transparently for you when it is accessed.
  3. Enable file level audit logging and save the logs to a central location, allowing you to perform an analysis of the logs in the event of a potential incident.
  4. Properly determine the classification of all data hosted in S3, such as “public”, or “confidential” or “protected”.  Don’t mix confidential or protected data with public data.