SECURITY
SECURITY
SECURITY
Millions of records belonging to medical testing firm found exposed online
Millions of customer records belong to Dr. Lab PathLabs Ltd., one of India’s largest medical testing firms, has been found exposed online in the latest case of a company failing to secure its cloud storage.
The database, discovered by security researcher Sami Toivonen and first reported today by TechCrunch, was founded exposed to all and sundry on an Amazon Web Services Inc. S3 bucket without a password. The records in the database included booking details, names, gender, addresses, phone numbers, email addresses, patient identification numbers, digital signatures, limited payment details, doctor details and testing information. The data also included information on patients who had tested positive for COVID-19.
It’s not clear if the exposed data only included patients in India or from other countries where Dr. Lab PathLabs operates. The company has operations in 20 countries, including in Southeast Asia, the Middle East and Africa.
Upon discovering the database in September, Toivonen said he contacted the company and the database was taken down, but he never heard back from it. In a statement to Livemint, Dr. Lab PathLabs confirmed the data exposure but claimed that the data exposed “involved less than 0.5% of our records and was immediately fixed.”
“It’s disturbing anytime patients’ protected health information is exposed,” said Ben Goodman, certified information systems security professional and senior vice president of global business and corporate development at digital identity firm ForgeRock Inc. “This type of data can be used by attackers to create synthetic identities for bots, answer knowledge-based authentication questions that arise during password resets to hijack unsuspecting victims’ accounts and an attacker could even use the information given to guess a user’s password at random.”
James Carder, chief security officer and vice president of security information and event management company LogRhythm Inc., noted that though a move to cloud-based storage is beneficial, it’s important for a company to understand what that means.
“Unfortunately, Dr. Lal PathLabs did not have stringent security measures in place to protect sensitive patient data, including information related to COVID-19 test results,” Carder said. “Poor IT hygiene, like leaving a cloud container insecure, publicly available to all on the internet, almost always results in a data breach, as we have witnessed numerous times over the past couple of years.”
Photo: Dr. Lal PathLabs
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
