12M Patient Medical Records, Other Data Found Exposed on Web

An unsecured database of an India-based medical laboratory recently exposed more than 12 million test results, other patient records and development files for the company’s mobile health app, according to the security researcher who found the vulnerability. Redcliffe Labs has fixed the problem.

See Also: Revealing the Secrets of Synthetic Identity Fraud: Safeguarding Your Organization Amidst a Changing Threat Landscape

Researcher Jeremiah Fowler of security services firm Security Discovery in a report released Wednesday about the incident said the exposed 7-terabyte database contained more than 12.3 million records with documents marked as belonging to Redcliffe Labs.

Redcliffe Labs, a medical diagnostic testing firm based in Noida, Uttar Pradesh, describes itself as serving more than 220 cities and 2.5 million patients, with a “mission” to serve more than 500 million people by 2030 with testing ranging from “glucose to genetics.”

The exposed Redcliffe database “was accessible without any specialized tools,” Fowler told Information Security Media Group. “The individual files could be seen in a web browser and the database itself could be seen using a third-party open-source viewer or the native viewer provided by the cloud service provider for free,” he said.

Fowler said he did not determine exactly how long the Redcliffe database was left unsecured and did not know whether Redcliffe’s exposed data files had been accessed or compromised by unauthorized individuals, including hackers. Fowler said he notified Redcliffe about the exposure, and the company quickly fixed the issue.

“It was open at least several days from the time I discovered it until it was ultimately secured. Plenty of time to be a considerable risk,” he told ISMG.

Upon alerting Redcliffe about the recent discovery, the company “thanked” the researcher and restricted public access the same day, Fowler said.

“The database contained a massive amount of medical test results that included the names of patients, doctors, if the testing sample was done at home or at a medical facility, and a wide range of other sensitive health information,” Fowler wrote.

Among the data contained in the password-less database was a folder named “test results” containing over 6 million PDF documents, including the medical diagnostic scans, test results and other potentially sensitive medical records of an undetermined number of patients, he said.

Fowler told ISMG that the exposed Redcliffe medical records he saw ranged for patients of all ages, from teens to elderly. “However, on their website it says they also offer prenatal and pediatric testing services. So, it is safe to say all ages were affected.”

In addition to the patient records, the database also contained development files from Redcliffe’s mobile application, Fowler said. “Exposed application files can potentially represent a significant risk in the wrong hands. These files control the functionality of an application and even the data transmitted from the user to the host server,” he said.

“Malicious actors could potentially use this information or files to carry out various cyberattacks and compromise user data, application functionality, or the security of the mobile device itself.”

Under India’s new privacy law, the Digital Personal Data Protection Act 2023, which went into effect in August, companies must report to authorities and notify affected individuals about the nature and scale of a data breach within 72 hours of identifying and validating it.

Redcliffe Lab’s Response

Pabhat Pankaj, CTO of Redcliffe Labs, in a statement to ISMG did not provide additional details or comment on Fowler’s research, but he denied the company suffered a data breach.

The company’s infrastructure is built to secure customer data “at the highest level,” Pankaj said. “In our lab and other IT environment, we’ve implemented dedicated firewalls to secure the IT infrastructure, even in non-production settings. This is also to address that there isn’t any data breach that has happened at Redcliffe Labs,” he said.

“For us, security isn’t just about the end result; it’s about every step in the process.” Redcliffe databases are encrypted at rest and “are stored within private VPCs, making them inaccessible to the public, even with credentials,” he said.

“Our commitment to security is demonstrated by a robust security framework, including endpoint protection, vulnerability assessments, cloud security, and database encryption,” he said.

Pankaj said the Redcliffe “has undergone various information security checks, VAPT and other independent third-party assessment from time to time with the most recent audit concluded in September 2023. Rest assured, our dedication to cybersecurity is unwavering, and we continue to invest in cutting-edge technology to protect our customer’s information.”

Potential Risk

Fowler alleges that besides the potential privacy issues and cybercrime risks for Redcliffe patients whose medical records were exposed, the unsecured Redcliffe mobile app files are also highly concerning.

“One of the biggest possible risks is the manipulation or modification of the application’s code files,” he said in his report. “The files could be edited to include a malicious code execution that would allow cybercriminals to compromise the integrity and security of the app, inject malware or add other unauthorized functionality.”

Attackers could use the manipulated code to potentially intercept or access a patient’s private data, including tests, scans or other sensitive information, he said. “Additionally, exposed code or resource files can hypothetically be used to reverse-engineer, analyze or decompile the application to see how it functions. This could possibly lead to the identification of additional vulnerabilities and weaknesses that can later be exploited.”

Making Progress?

Fowler has previously discovered and alerted other organizations of similarly exposed databases, including an incident this summer involving an unprotected database of the Southern Association of Independent Schools affecting about 700,000 sensitive records of independent school students and faculty across 16 states (see: 700,000 Sensitive Teacher, Student Records Exposed on Web).

But Fowler said the Redcliffe incident “is one of the biggest healthcare breaches I have seen in nearly a decade as a security researcher.”

The range of test results exposed at Redcliffe is much wider than more specialized testing labs, he said. “Redcliffe Labs offers 3,600 different tests across hundreds of locations, creating a Pandora’s box of just how broad the scope of the data is,” he said.

Incidents that reach this scale “are few and far between these days.” he said. “Overall, the industry has taken the needed steps to do a better job of investing in cybersecurity and data protection,” Fowler said.