The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

1.3 Million-Record Database of Netherlands COVID-19 Testing Lab Exposed Online

Posted By on Jan 25, 2024

A medical laboratory in the Netherlands that served as a COVID-19 testing facility has left a database exposed on the Internet that contained the sensitive data of almost 1.3 million individuals including names, dates of birth, appointment details, email addresses, COVID-19 testing information, and passport numbers.

The exposed database was found by Jeremiah Fowler, co-founder of Security Discovery and security researcher at vpnMentor. The database did not require any authentication to access and the entire database could be accessed by anyone who knew the path name. The database included an estimated 1,285,277 records, including 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files. The database also contained thousands of QR codes that linked to web pages that included appointment details and email addresses.

The documents had the name and logo of a now inaccessible website, Coronalab.eu, which belongs to Coronalab. Coronalab is owned by the Amsterdam-based ISO-certified laboratory, Microbe & Lab, one of the top two commercial medical test providers in the Netherlands. Fowler tried to contact Coronalab on several occasions to inform the company about the exposed database but received no response. The database remained exposed online for three weeks until Fowler contacted the cloud hosting company, Google, which secured the database to prevent further unauthorized access. It is unclear how long the database was exposed online and how many people found it.

Since names, dates of birth, testing information and email addresses were present in the database, the information could be used by cybercriminals in phishing attacks impersonating Coronalab employees. As Fowler explained, phishing emails could be crafted with information only known to the individuals concerned and Coronalab, increasing the chance of a response.“In my professional opinion, now that the pandemic is mostly behind us, it is time for organizations to review the massive amounts of data they have stored and determine if these records are still needed,” said Fowler. “If they are, organizations must ensure the data is secured from unauthorized access. The records should be encrypted or anonymized to prevent unwanted data exposures or threats from malicious actors.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist