Many Indian firms are found to be exposing the sensitive data of their users and this time Dr Lal PathLabs one of the largest providers of diagnostic and related healthcare tests in India is found to expose sensitive data of patients on a public server for months.
Australia-based security expert Sami Toivonen found that the company was storing hundreds of large spreadsheets that contained sensitive data of patients in a storage bucket, hosted on Amazon Web Services (AWS), without a password, allowing anyone to access the data inside the spreadsheets.
After discovering the exposed data, he reported it to Dr Lal PathLabs and the company quickly shut down access to the bucket, but the company didn’t respond to Toivonen till today.
Toivonen notes that he is not known for how long the bucket was exposed but adds that the exposed data amounts to millions of individual patient bookings.
Also Read: Google-backed Dunzo exposed sensitive data of its users
“Once I discovered this I was blown away that another publicly listed organization had failed to secure their data, but I do believe that security is a team sport and everyone’s responsibility,” Toivonen told TechCrunch. “I’m glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors.”
“I was also a little surprised that they didn’t respond to my responsible disclosure,” he said.
The exposed spreadsheets contained daily records of patient lab tests including a patient’s name, address, gender, date of birth, and contact number, as well as details of the test that the patient has taken that is helpful to indicate or infer a medical diagnosis or a health condition.
Since Dr LalPathlabs are also offering COVID-19 tests, the exposed spreadsheets also included that the patient took a test for COVID-19 from their labs.
When Techcrunch contacted Dr Lal PathLabs, a spokesperson of the company said it was “investigating” the security lapse but did not answer our questions, including if the company plans to inform its patients of the exposure.
Source: Techcrunch
