12 Million Medical Laboratory Records Exposed Online

Posted By Steve Alder on Oct 27, 2023

Hackers can exploit unpatched vulnerabilities and trick employees into providing access, but sometimes huge amounts of sensitive health information are much easier to obtain, as security researcher, Jeremiah Fowler, recently confirmed. One of India’s largest diagnostic centers, Noida, Uttar Pradesh-based Redcliff Labs, serves more than 2.5 million individuals in more than 220 Indian cities and provides a wide range of diagnostic testing services. Fowler found an unsecured Redcliff Labs database that contained the medical test results of more than 12 million individuals. The database had been exposed on the Internet and could be accessed without a password using a web browser, and the contents could be viewed using an open—source viewer or the native viewer provided by the cloud service provider.

The 7-terabyte database contained 12,347,297 records that included the names of patients and physicians, the location where the test was performed, test results, and other sensitive data, and a database folder was identified that contained more than 6 million PDF documents of test results. Tests offered by the lab include blood testing, diabetes tests, joint care, vitamin tests, and specialized testing services for cancer, genetics, HIV, pregnancy, and more. Fowler promptly notified Redcliff Labs, which secured the database the same day. It is unclear how long the database was exposed and whether it had been found by anyone else.

The database included other sensitive information, including development files for its mobile application, and the exposure of these files was potentially far more serious than the exposure of patient data. “These files control the functionality of an application and even the data transmitted from the user to the host server. Malicious actors could potentially use this information or files to carry out various cyberattacks and compromise user data, application functionality, or the security of the mobile device itself,” said Fowler in his report. “Exposed code or resource files can hypothetically be used to reverse engineer, analyze, or decompile the application to see how it functions. This could possibly lead to the identification of additional vulnerabilities and weaknesses that can later be exploited.” That did not necessarily happen in this case, but the discovery of the files demonstrates how damaging such an exposure could be.

The misconfiguration of databases allows huge amounts of sensitive information to be accessed with ease. Fowler searches for exposed data and notifies the entities concerned to allow them to secure their data but Fowler is far from the only person looking for exposed databases, and others do not have such benign reasons for doing so. Healthcare organizations must ensure they provide adequate staff cybersecurity training, encrypt sensitive data in cloud environments, implement robust access controls, and develop and implement policies and procedures that incorporate checks of database security and regular audits should be conducted of all data storage repositories. Exposed databases and unsecured cloud repositories are all too common. Other recent examples include: