NEW DELHI: In yet another breach of medical data, cybersecurity researcher Jeremiah Fowler discovered a non-password protected database housing over 12 million medical records, including diagnostic scans, test results, and other sensitive information. The database, which was exposed to the public, contained a staggering 12,347,297 records and spanned a total size of 7TB.
The Alarming Find
Upon further investigation, Fowler traced the database back to an India-based company, Redcliffe Labs, one of the nation’s largest diagnostic centers. The trove of sensitive medical data encompassed information like patients’ names, doctors, testing locations (whether done at home or a medical facility), and various other personal health details. The breach was not isolated, and it is unclear how long the data was vulnerable to unauthorized access.
A Glimpse into Redcliffe Labs
Redcliffe Labs boasts a vast range of medical services, offering over 3600 wellness and illness tests. These services include full-body checkups, blood tests, diabetes assessments, joint care, vitamin tests, and specialized testing for cancer, genetics, HIV, pregnancy, among others. The company’s website claims to have a customer base of 2.5 million individuals, but the exposed “test results” folder, comprising over 6 million PDF documents, hints at potentially more affected individuals or multiple tests from repeat customers.
According to the company’s website, Redcliffe Labs provides home sample collection services in more than 220 cities, operating 80 labs, and over 2000 wellness and collection centers across India.
What the Database Held
Fowler’s investigation unearthed several categories of data within the database:
- Reports: A total of 1,180,000 reports were stored in this section, comprising test results in a basic format without a header logo. The cumulative size was a massive 620.5 GB.
- Smart Report Storage: This section contained 1,164,000 documents presented in an info-graphic style, amounting to 1.5 TB in size.
- Test Results: A staggering 6,090,852 records were found here, totaling 2.2 TB.
- Miscellaneous Folders: These folders contained 3,912,445 non-password protected files, including PDFs, internal business documents, logging records, mobile application files, and development resources, all with a combined size of 2.7 GB.
Mobile Application Vulnerabilities
The breach at Redcliffe Labs did not stop at exposing medical records. The database also contained development files from their mobile application, which could potentially be a goldmine for cybercriminals. These files control the application’s functionality and data transmission from users to the host server.
Of significant concern is the potential manipulation or modification of the application’s code files. Cybercriminals could insert malicious code that compromises the app’s integrity and security, inject malware, or add unauthorized functionalities. Once tampered with, attackers could potentially access a patient’s private data, including sensitive tests and scans, leading to grave privacy violations.
Additionally, the exposed code and resource files could be used to reverse-engineer the application, uncovering vulnerabilities that can later be exploited.
Reassurance from Redcliffe Labs
Redcliffe Labs’ website does not indicate any vulnerabilities or compromises of their mobile app. The concerns raised are general in nature, emphasizing the potential dangers of source code exposure in any application.
The responsible disclosure by Jeremiah Fowler prompted immediate action from Redcliffe Labs, with the public access to the database being restricted the same day. However, it remains uncertain how long the database was exposed or whether unauthorized individuals accessed the sensitive health records.
As medical data breaches continue to pose a significant threat to individuals’ privacy, this incident serves as a stark reminder of the importance of robust data protection measures and the need for continuous vigilance in the realm of digital security.
Cybersecurity Challenges in Healthcare:
- Data exposure highlights the ongoing struggle healthcare organizations face in safeguarding patient information and health data.
- Growing accessibility and affordability of diagnostic testing bring new cybersecurity challenges for healthcare service providers.
- The healthcare industry has always been a prime target for cyberattacks due to the immense value of the data it holds.
- Medical records pose higher risks of identity theft, medical fraud, and misuse due to their enduring value and high resale prices on the darkweb.
Recommendations for Healthcare Organizations:
- Organizations collecting medical data should prioritize patient information protection and proactively defend against malicious actors and data exposures.
- Key measures include data encryption for sensitive records, regular testing of data storage for unauthorized access, and staying updated with emerging security protocols.
- Extensive cybersecurity training for all staff members and third-party contractors is essential to reduce data breach risks due to human error.
- Developing an incident response plan is vital to mitigate the impact of potential breaches and notify relevant parties promptly.
The Right to Data Protection:
- In August 2023, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), a comprehensive data protection law.
- The DPDP Act mandates companies to report data breaches to authorities and affected individuals within 72 hours of identification, with financial penalties for non-compliance.
- Penalties under the DPDP Act range from INR 10,000 (USD 120) to INR 250 crore (USD 30.2 million).
Redcliffe Labs and Data Exposure:
- It remains unknown if Redcliffe Labs has informed authorities or affected individuals about the data exposure.
- No implication of wrongdoing by Redcliffe Labs or imminent risk to patient data is suggested.
- A thorough investigation, potentially including a forensic audit, is required to identify who else may have had access to the exposed health records and internal information.
- The goal is to raise awareness about cybersecurity risks and promote cyberspace safety, with no extraction of sensitive data containing personally identifiable information (PII). Only a limited number of screenshots were taken to validate findings.
Follow The420.in on