1.3 Million-Record Database of Netherlands COVID-19 Testing Lab Exposed Online
A medical laboratory in the Netherlands that served as a COVID-19 testing facility has left a database exposed on the Internet that contained the sensitive data of almost 1.3 million individuals including names, dates of birth, appointment details, email addresses, COVID-19 testing information, and passport numbers.
The exposed database was found by Jeremiah Fowler, co-founder of Security Discovery and security researcher at vpnMentor. The database did not require any authentication to access and the entire database could be accessed by anyone who knew the path name. The database included an estimated 1,285,277 records, including 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files. The database also contained thousands of QR codes that linked to web pages that included appointment details and email addresses.
The documents had the name and logo of a now inaccessible website, Coronalab.eu, which belongs to Coronalab. Coronalab is owned by the Amsterdam-based ISO-certified laboratory, Microbe & Lab, one of the top two commercial medical test providers in the Netherlands. Fowler tried to contact Coronalab on several occasions to inform the company about the exposed database but received no response. The database remained exposed online for three weeks until Fowler contacted the cloud hosting company, Google, which secured the database to prevent further unauthorized access. It is unclear how long the database was exposed online and how many people found it.
Since names, dates of birth, testing information and email addresses were present in the database, the information could be used by cybercriminals in phishing attacks impersonating Coronalab employees. As Fowler explained, phishing emails could be crafted with information only known to the individuals concerned and Coronalab, increasing the chance of a response.“In my professional opinion, now that the pandemic is mostly behind us, it is time for organizations to review the massive amounts of data they have stored and determine if these records are still needed,” said Fowler. “If they are, organizations must ensure the data is secured from unauthorized access. The records should be encrypted or anonymized to prevent unwanted data exposures or threats from malicious actors.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy