Unsecured AWS Database Left Patient Data ExposedResearcher: Server Belonging to India's Dr Lal Path Labs Left 50 GB of Data Exposed
An unsecured Amazon Web Services database belonging to India's Dr Lal Path Labs, which offers diagnostic testing, exposed approximately 50 GB of patient data, including notes related to the results of COVID-19 tests, according to a security researcher.
The AWS Simple Storage Service bucket, which was discovered in September, appears to have been misconfigured and open to the public internet for at least a month, says Sami Toivonen, an Australia-based security expert, who discovered the database. After Toivonen contacted Dr Lal Path Labs last month, the company secured the database within a few hours, he says.
In addition to the notes related to the results of COVID-19 testing, the AWS S3 database appears to have contained other lab test results as well as patients' names, dates of birth, addresses and mobile phone numbers, Toivonen says.
Dr Lal PathLabs, which is headquartered in New Delhi, operates more than 200 clinical laboratories and nearly 6,500 sample-pickup points across India, according to the company's website. The company, which serves about 70,000 patients a day, was among the first to win regulatory approval to conduct COVID-19 testing in India.
Toivonen tells Information Security Media Group that he cannot comment on whether anyone accessed the data contained in the AWS S3 bucket belonging to Dr Lal PathLabs, but he noted that anyone who found it could have easily accessed thousands of sensitive records.
"I can confirm that millions of records and thousands of files were exposed on a server that could be accessed by anyone with an internet connection," Toivonen says. "The exact size of all files together is unknown, but 50 GB would probably be a fair estimate while the biggest files were around 700 MBs."
A spokesperson for Dr Lal PathLabs could not be immediately reached for comment.
With so much data being uploaded to cloud-based databases, Toivonen says organizations need to ensure that these databases are secured and configured properly with passwords. He notes that cloud services providers, such as Amazon and Microsoft, leave data security to their customers.
"This also serves an important reminder for all of us that even if you’re AWS’s public success story and case study, you’re definitely not immune to data breaches and misconfigurations. To put it another way, any cloud service provider won’t take over your responsibility to secure the users and data (SaaS) or applications, networks and APIs (IaaS). - Toivonen noted on a LinkedIn post about his discovery.
Tim Mackey, a principal security strategist with the Synopsys Cybersecurity Research, stresses that cloud customers need to have a security plan in place.
"Cloud storage solutions are convenient and cost-effective, but we must not forget that proper configuration of any cloud service means configuring components, like S3 buckets, securely," Mackey tells ISMG.
Other healthcare organizations have run into the same problem with misconfigured or unsecured cloud services (see: Misconfiguration Leads to Major Health Data Breach).
Toivonen notes that medical information is valuable to fraudsters because these details offer greater details about potential victims.
"The intimate details about specific tests or health concerns can be used for more sophisticated and targeted attacks," he says. "It can also pose a risk for the employers of the individuals, especially when people register on these kind private services with their work email. The exposed digital signatures with multiple personal identifiable information markers could potentially be used for identity thefts."