Again a new data leak incident that has shaken us all, and this time it is from Dr. Lal Path labs. The report has revealed that data of millions of patients including information related to their Covid-19 test results. TechCrunch reported that one of India’s popular and largest testing lab firm Dr Lal PathLabs exposed the personal data of millions of patients in the public domain making it accessible to everyone last month.
According to the report, Dr Lal PathLabs was storing hundreds of large spreadsheets that included sensitive patient data in a storage bucket hosted on Amazon Web Services (AWS). The patients’ data were stored without a password on the server. This allowed anyone and everyone to access these details.
Type of Data Leaked:
The leaked data included sensitive information of patients including booking details, names, gender, addresses, phone numbers, email addresses, digital signature, payment details and doctor details along with the type of test taken.
Currently, Dr Lal PathLabs tests 70,000 patients per day. The report further claims that the leaked data even revealed the Covid-19 test status of some patients.
The leaked patient data was first discovered by Australia-based security expert Sami Toivonen who reported to Dr Lal PathLabs about the expose of data in September.
How customers will be affected, and how is Dr. Lal Pathlabs responsible?
Chances are high it will be sold to cybercriminals and these fraudsters will use various social engineering method to trap these people and make then victim of cyber or financial fraud.
It is the duty of service provider to ensure the safety of its customers’ data. The company will be held responsible if the leak has happened at their end or loophole in their data management is found.
Following this testing firm “quickly shut down access to the bucket but the company did not reply”. There are no records as to how long the storage bucket was exposed in the public domain.
Toivonen told TechCrunch, “Once I discovered this I was blown away that another publicly listed organization had failed to secure their data, but I do believe that security is a team sport and everyone’s responsibility.“ “I’m glad that they secured it within a few hours after I contacted them because this kind of exposure with millions of patient records could be misused in so many ways by the malicious actors,” he added.
Commenting on the leak of personal data of patients Dr Lal PathLabs spokesperson said that the company is “investigating” the security lapse. The company has also not revealed details on whether they plan to alert patients impacted with the data leak.
Implications:
There are several provision through which the lab can be held responsible and a heavy fine can be imposed on it. Experts claim that such crucial data leak is a violation of disaster management and epidemic act and amount to a criminal offence.
In India, a fine up to Rs 5 cr can be imposed for leaking sensitive personal data (SPD) under section 43A of IT Act.
(Image Courtesy: www.fidelissecurity.com)