Dr Lal PathLabs data leak: Fine up to Rs 5 crore can be imposed as millions of patients at risk

New Delhi: If you have gone to Dr Lal PathLabs for getting a Covid-19 test done then chances are high that all your personal details have leaked online. According to reports, Dr Lal PathLabs, one of the largest lab testing labs in India, kept the huge data of its patients on a public server unprotected for months.

This has exposed the personal data of millions of patients in the public domain making it accessible to everyone last month. The lab testing giant serves around 70,000 patients a day. It was also among the few labs which got permission from apex health body ICMR to test Covid-19 patients.

Reports claim that Dr Lal PathLabs had stored hundreds of large spreadsheets that included sensitive patient data in a storage bucket hosted on Amazon Web Services (AWS). The patients’ data were stored without a password on the server. This allowed anyone and everyone to access these details.

According to cyber experts, the leaked data included sensitive information of patients including booking details, names, gender, addresses, phone numbers, email addresses, digital signature, payment details and doctor details along with the type of test taken.
The report further claims that the leaked data even revealed the Covid-19 test status of some patients.

The leaked patient data was first discovered by Australia-based security expert Sami Toivonen who reported to Dr Lal PathLabs about the expose of data in September.
Following this, the testing firm “quickly shut down access to the bucket but the company did not reply”. There are no records as to how long the storage bucket was exposed in the public domain.

Commenting on the leak of personal data of patients Dr Lal PathLabs spokesperson said that the company is “investigating” the security lapse. The company has also not revealed details on whether they plan to alert patients impacted with the data leak.

What does it mean to customers?
As the personal data of thousands of patient of Dr Lal PathLabs was out in open chances are high it will be sold to cybercriminals. These fraudsters will use various social engineering method to trap these people and make then victim of cyber or financial fraud.

Is Dr Lal PathLabs responsible?
It is the duty of service provider to ensure the safety of its customers’ data. The company will be held responsible if the leak has happened at their end or loophole in their data management is found.

Can Dr Lal PathLabs be punished?
Yes, there are several provision through which the lab can be held responsible and a heavy fine can be imposed on it. Experts claim that such crucial data leak is a violation of disaster management and epidemic act and amount to a criminal offence.

In countries like US heavy fine is imposed under Health Insurance Portability and Accountability Act (HIPAA) in such cases. Similarly, in India, a fine up to Rs 5 cr can be imposed for leaking sensitive personal data (SPD) under section 43A of IT Act