50GB Patient Data Left Unsecured on AWS Database including COVID-19 Tests


Security researchers discovered an unsecured Amazon Web Services database that exposed approximately 50 GB of patient data which included information related to the results of COVID-10 tests.

The unsecured AWS Simple Storage Service bucket belongs to India’s Dr Lal PathLabs, which is a reputable diagnostic chain based out of India.

The database was discovered by Sami Toivonen, an Australia-based security expert, who said that AWS Simple Storage Service bucket  was misconfigured and open to the public internet for at least a month, if not more.

In addition to the COVID-19 testing information, the AWS S3 database appears to have contained other lab test results as well as patients’ names, dates of birth, addresses and mobile phone numbers, Toivonen says.

Toivonen contacted Dr Lal Path Labs last month and the company secured the database within a few hours, he says.

Toivonen said that he cannot comment on whether anyone accessed the data contained in the AWS S3 bucket belonging to Dr Lal PathLabs, but he noted that anyone who found it could have easily accessed thousands of sensitive records.

“I can confirm that millions of records and thousands of files were exposed on a server that could be accessed by anyone with an internet connection,” Toivonen says. “The exact size of all files together is unknown, but 50 GB would probably be a fair estimate while the biggest files were around 700 MBs.”

Unsecured data seems to be a growing problem for organizations, especially with so much data being uploaded to cloud-based databases.

Organizations need to ensure data is secure with proper passwords and configurations. Large cloud service providers like Amazon and Microsoft leave data security up to their customers.

“This also serves an important reminder for all of us that even if you’re AWS’s public success story and case study, you’re definitely not immune to data breaches and misconfigurations. To put it another way, any cloud service provider won’t take over your responsibility to secure the users and data (SaaS) or applications, networks and APIs (IaaS). – Toivonen noted on a LinkedIn post about his discovery.

Many healthcare organizations have experienced the same problems when they were either hacked or had information accessed by cyber criminals because of unsecured networks (see: Biggest Healthcare Breaches of 2020 – The Top 10 and Why They Matter).

Medical information and patient data is especially valuable for cyber criminals because these details offer an opportunity for them to find and exploit potential victims.

“The intimate details about specific tests or health concerns can be used for more sophisticated and targeted attacks,” he says. “It can also pose a risk for the employers of the individuals, especially when people register on these kind private services with their work email. The exposed digital signatures with multiple personal identifiable information markers could potentially be used for identity thefts.”

A spokesperson for Dr Lal PathLabs could not be immediately reached for comment.

About the author

Katie Brownley

Health & IT Journalist covering Cybersecurity News, Data Breaches and Security Industry News. Email is open for DM and News Tips are Welcome

Subscribe to Our Newsletter