Healthcare
                                                    ,
                                                            Incident & Breach Response
                                                    ,
                                                            Industry Specific
                                                                                                
                    Researcher Reported Configuration Issue to Cloud Vendor After Lab Failed to Respond
                

An unsecured database appearing to belong to a Netherlands-based medical laboratory exposed 1.3 million records on the internet, including COVID test results and other personal identifiable information, said a security researcher who discovered the trove.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
Jeremiah Fowler, a researcher at security vendor vpnMentor and co-founder of security services firm Security Discovery said in a report released Monday that the database, which lacked password protection, contained documents marked with the name and logo of Coronalab.eu, which is owned by Microbe & Lab, a medical laboratory based in Amsterdam.
The database’s approximately 1.3 million exposed records include 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files, Fowler said.
The leaked COVID test records contain patient names, nationality, passport number and test results, as well as the price, location and type of test conducted, the researcher said.
The database also contained thousands of QR codes and hundreds of .csv files that show appointment details and patient email addresses, he said. “With personal data and emails exposed, cybercriminals could attempt to exploit this information or launch targeted phishing campaigns using internal information or posing as a laboratory employee.”
Upon finding the exposed database, Fowler said, he tried for several weeks to contact Microbe & Lab by email and phone and sent multiple responsible disclosure notices about his discovery but received no response.
“They never replied, and because the database was exposed for nearly two weeks after I first reported it, I sent follow-up emails to everyone I could find an address for,” Fowler told Information Security Media Group. “I even called the number listed and spoke with someone I was told was a director, and that person didn’t take me seriously and sounded annoyed by what I was telling them.”
The data remained exposed until the researcher contacted Google, which hosted the database. Google “only provided the services, and the misconfiguration was done by the user,” Fowler told ISMG.
“The hosting provider can make changes to access on the back-end, and they have the names and direct contact information of their customers so they can reach them when security researchers can’t.”
The researcher said he does not know how long the database was exposed prior to his discovery, “but it would be shocking if it has been exposed since the peak of the pandemic and somehow went unnoticed for so long.
“I assume what happened was these documents needed to be accessible to medical patients so they were hosted in the server and then could be viewable in a web browser, email or app,” he said. “In this process, they accidentally left the entire database open – not realizing that if someone has the file path they could see the full database.”
Fowler has found a number of exposed databases over the years that contained healthcare and other sensitive data, including an unsecured database of an India-based medical lab containing more than 12 million records last year. In that case, the entity, Redcliffe Labs, promptly secured the database after Fowler had contacted the company, he said (see: 12M Patient Medical Records, Other Data Found Exposed on Web).
But the recent Coronalab database exposure was especially concerning to Fowler. “I have been looking for COVID data for almost three years, and this is the first time I have seen any COVID-related documents” exposed in unsecured databases,” he told ISMG.
“I have found many medical records over the years, but none that compare to the chaos of the COVID era where testing was virtually involuntary to live a normal life. We traded our data and personally identifiable information for the freedom to travel, attend events and more. Testing and medical institutions may have not been ready for the massive influx of data,” he said.
“In a pandemic, we do not have the luxury of time for testing and development. There are many lessons to be learned from the COVID era, including data security.”
Taking Responsibility
Other experts say the lab incident underscores how healthcare entities sometimes hand over certain IT and other related responsibilities to third parties – such as cloud services firms – and then underestimate their own duties involving data security.
“Cloud computing usually offers greater security protections than healthcare providers can provide on their own,” said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
“But even the most secure vault door will not do much good if it is left open at night,” Greene said. “Organizations using cloud computing need to understand what responsibilities fall on them, especially with respect to technical configurations, and seek to implement systems to properly configure their cloud resources and regularly audit those configurations.”
Regulatory attorney Brad Rostolsky of the law firm Greenberg Traurig LLP said data breaches involving misconfigurations unfortunately are becoming more commonplace. “Especially where the regulated entity is controlling the security of the cloud storage,” he said, “it’s important to be proactive.”
Greene said, “A good solution is to regularly check the settings associated with these sorts of databases and to utilize two individuals to separately monitor things. Human error is too often the cause of significant – and easily preventable – situations, and a second set of eyes can do wonders.”
Mishaps such as IT misconfigurations leading to major health data breaches also have been a recurring problem for the sector.
In some cases, health data breaches involving software or other IT misconfigurations that expose patient data on the internet have resulted in entities paying large regulatory fines or class action lawsuit settlements – and sometimes both.
Last October, Puerto Rico-based clearinghouse Inmediata agreed to pay $1.4 million to 31 states, plus Puerto Rico, to settle an action led by Indiana’s attorney general in the aftermath of a coding error that exposed the sensitive protected health information of about 1.5 million individuals.
An investigation into the Inmediata incident found that a coding mishap had allowed two web pages to be indexed by Bingbot from May 16, 2016, through Jan. 15, 2019, making individuals’ sensitive information viewable and downloadable through online search engines.
In addition to the settlement with the states, Inmediata paid a $1.1 million in 2022 to settle a civil class action lawsuit against the company for the same incident (see: 33 State AGs Settle 3 Health Data Breach Cases).
In the recent database exposure involving Coronalab and Microbe & Lab, Fowler said it is unclear if the company’s customers, patients or the authorities have been notified of the incident under local regulatory requirements or the General Data Protection Regulation, which governs data protection and privacy for individuals within the European Union and the European Economic Area.
Microbe & Lab did not immediately respond to ISMG’s request for comment on Fowler’s discovery of the exposed Coronalab database.
