Dr Lal Path Labs, one of India’s biggest clinical lab testing companies has left the data of millions of its customers exposed on an unprotected storage bucket hosted on Amazon Web Services. This left sensitive data including medical data of millions of Indians exposed to attacks from malicious actors. The exposed data was found by an Australian security expert named Sami Toivonen, who reported the issue to Dr Lal Path Labs in September last month. Dr Lal Path Labs has since then secured the data and said that the exposed data amounted to about 0.5 percent of its total records.
The development was first reported by TechCrunch, who quoted Toivonen as saying that the exposed data amounted to millions of individual patient bookings. It is not known as to how long the bucket was exposed, and if anyone has maliciously accessed the Dr Lal Path Lab data. The data exposed on the unprotected bucket contained spreadsheets of daily records of patient lab tests. Those spreadsheets contained a patient’s name, address, gender, date of birth, contact number, details of booking, doctor details, limited payment details, patient unique identification numbers, and details and pictures of when, where, and what lab the tests were taken at. Reporters at TechCrunch also verified the details of several patients.
The report, however, quoted Toivonen as saying that Dr Lal Path Labs secured the data within hours of being notified. However, he said that the company did not respond to his disclosure.
Toivonen was also quoted by LiveMint as saying that the publicly exposed S3 bucket contained over 9,000 spreadsheets. Dr. Lal Path Labs also confirmed the exposure to LiveMint. The publication further quoted Dr Lal Path Labs as saying that the breach involved less than 0.5 percent of the company’s records and was immediately fixed. In its statement, Dr Lal Path Labs also acknowledged Toivonen’s alert about the exposed data. “We received an email from a cybersecurity researcher about a misconfiguration in one of our minor web applications where some temporary records were stored for operational purposes,” LiveMint quoted Dr Lal Path Labs as saying.
Dr Lal Path Labs is the largest lab testing company in India. The company is said to serve some 70,000 patients a day. It has also been testing patients for COVID-19 amid the pandemic, after getting approval from the government of India.