Big Medical Diagnostic Company Exposed To Data Breach

A non-password protected database that contained over 12 million records containing medical diagnostic scans, test results, and other potentially sensitive medical records was found at risk of a breach, according to cybersecurity researcher, Jeremiah Fowler.

The database contained a massive amount of medical test results that included the names of patients, doctors, if the testing sample was done at home or at a medical facility, and a wide range of other sensitive health information.

The total number of records was significant, at a count of 12,347,297 with a total size of 7TB. Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs. Fowler immediately sent a responsible disclosure notice and received a reply acknowledging the discovery and thanked him.

Public access was restricted the same day, but it is unclear how long the database was exposed or if any unauthorized individuals accessed the purported health records.

Redcliffe Labs is one of India’s largest diagnostic centers. It offers more than 3600 wellness and illness tests. Users can receive medical diagnosis services at home, at medical facilities, and online via a mobile application. These services include full-body checkups at home, blood testing, diabetes tests, joint care, vitamin tests, specialized testing services for cancer, genetics, HIV, pregnancy, and many others. Redcliffe Labs also advertises free sample collections and a consultation with a doctor as part of the service. According to their website, they have 2.5 million customers. However, a folder in the database named “test results” contained over 6 million PDF documents. This could indicate either that far more customers were potentially affected or that perhaps these were multiple tests from repeat customers.

According to their website “Redcliffe Labs is India’s fastest growing technology empowered diagnostics service provider having its home sample collection service in more than 220+ cities with 80+ Labs and 2000+ Walk-in Wellness and Collection Centres across India”.

Here is a breakdown of the records contained inside the database:

  • 12,347,297 total records were contained in the database with a total size of 7 TB.
  • Documents marked as “Reports”: Total number of objects 1,180,000 with a total size of 620.5 GB. These were also test results and appeared to be in a basic form without a header logo.
  • Smart Report Storage: Total number of objects 1,164,000 with a total size of 1.5 TB. These documents showed the test results in an info-graphic style.
  • Folder named “Test results”: Total number of objects 6,090,852 with a total size of 2.2 TB.
  • Miscellaneous folders containing non-password protected files: Total number of objects 3,912,445 with a total size of 2.7 GB. These folders included .PDF files, internal business documents, logging records, mobile application and development files.

The levels of detail in a single blood test result contained the name of the patient, the patient’s ID number, detailed health data, doctor’s name, and other test-related information.

Mobile Application Files Exposed

Redcliffe Labs’ mobile application is popular and available on both Google Play and Apple’s App Store. In addition to the millions of medical records, the database also contained development files from their mobile application. Exposed application files can potentially represent a significant risk in the wrong hands. These files control the functionality of an application and even the data transmitted from the user to the host server. Malicious actors could potentially use this information or files to carry out various cyberattacks and compromise user data, application functionality, or the security of the mobile device itself.

One of the biggest possible risks is the manipulation or modification of the application’s code files. The files could be edited to include a malicious code execution that would allow cybercriminals to compromise the integrity and security of the app, inject malware, or add other unauthorised functionality.

Once the code has been manipulated, attackers could potentially intercept or access a patient’s private data, including tests, scans, or other sensitive information.

Cyber criminals gaining access to a user’s health and medical testing data could result in serious privacy violations. Additionally, exposed code or resource files can hypothetically be used to reverse engineer, analyse, or decompile the application to see how it functions. This could possibly lead to the identification of additional vulnerabilities and weaknesses that can later be exploited.

Fowler confirms that there is no indication or suggestion that the Redcliffe Labs app is vulnerable or has been compromised in any way. The concerns outlined here are general in nature and highlight the potential ramifications of source code exposure in any app.

Cybersecurity Challenges in Healthcare

This data exposure revealed the private health information of millions of patients, and it serves as a stark reminder of the challenges healthcare organisations face in securing patient information and health data. No matter where they live or work, people around the world expect some level of privacy and data security when it comes to their personal and medical information. New technology makes diagnostic testing more accessible and affordable, but it also creates new cybersecurity challenges for companies that provide these services.

The healthcare industry has always been a prime target for cyberattacks due to the valuable nature of the data it holds. It is worth noting that whenever medical records are exposed, there is an increased potential risk of identity theft, medical fraud, or the misuse of private health information.

While credit cards, identification documents, and other records have an expiration date, personal health data is non-perishable and is particularly valuable to criminals.

On the dark web, healthcare records can sell for as much as 1,000 USD each; credit card data, for comparison, usually sells for 5 USD. This makes health and medical data highly valuable targets for hackers and cybercriminals who are motivated by financial gain.

Any healthcare organisation that collects and stores medical data must take every step possible to protect patient information and be proactive against malicious actors or data exposures and Fowler's research emphasises the need for health-tech companies to invest in cybersecurity and modernise their IT infrastructure. This includes implementing data encryption for sensitive records, regularly testing data storage repositories for unauthorised or public access and staying up to date with emerging security protocols.

Cybersecurity training to all staff members and third-party contractors can also help reduce the risk of a data breach caused by human error. Finally, having an incident response plan can help mitigate the impact of a potential breach by notifying the authorities, customers, or others who may have been affected. 

Individuals who believe their data may have been compromised should be cautious about sharing their health information and should monitor their financial and medical records for any suspicious activities. Individuals with health insurance or access to their personal medical history could see prescribed medications or treatments that they never had could indicate a larger problem or even identify fraud.

The Right to Data Protection

In August 2023, India enacted a sweeping new privacy law titled the Digital Personal Data Protection Act, 2023 (DPDP Act). The DPDP is India’s first comprehensive data protection law. It covers a wide range of data issues and applies to any organization that operates within India or targets Indian customers.

Under the DPDP Act, companies who suffered a data breach must inform the authorities and the affected individuals about the nature and scale of the breach within 72 hours of identifying and validating it.

Additionally, the DPDP Act imposes financial penalties on companies that fail to comply with the new regulations. The penalties can range from INR 10,000 (USD 120) to INR 250 crore (USD 30.2 million). 

As of the time of this publication, it is not known if Redcliffe Labs has notified the proper authorities or the potentially affected individuals regarding the data exposure. Fowler does not imply or claim any wrongdoing by Redcliffe Labs, nor does he claim that patients or users’ health data was ever at imminent risk or accessed by any other outside individuals.

It would require a thorough investigation, potentially including a forensic audit, to identify who else may have had access to the millions of publicly exposed health records and internal information. Fowler's goal is to promote the safety of cyberspace and bring awareness of the potential risks of such a large data breach.

Jeremiah Fowler  is a Security Researcher and co-founder of Security Discovery

This is an abridged version of an article first available at WebSite Planet:               Image: unsplash+

You Might Also Read: 

The Health Service Ransom Attack Will Cost Ireland As Much As €100m:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« How Businesses Can Avoid Firewall Vulnerabilities
Cybersecurity Awareness Month Turns 20 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

StratoKey

StratoKey

StratoKey is an intelligent Cloud Access Security Broker (CASB) that secures your cloud and SaaS applications against data breaches, so you can do secure and compliant business in the cloud.

Authorize.Net

Authorize.Net

Authorize.Net is a Payment Gateway which provides the complex infrastructure and security necessary to ensure fast, reliable and secure transactions.

Luxembourg Institute of Science & Technology (LIST)

Luxembourg Institute of Science & Technology (LIST)

LIST is a mission-driven Research and Technology Organisation. Areas of research include IT and aspects of IT security.

Custodio Technologies

Custodio Technologies

Custodio Technologies was established as a Singaporean R&D Centre of Israel Aerospace Industries (IAI) in order to spearhead R&D activities in the field of cyber early warning.

Security University

Security University

Security University is a leading provider of Qualified Hands-On Cybersecurity Education, Information Assurance Training and Certifications for IT and Security Professionals.

Information Technology & Cyber ​​Security Service (STISC) - Moldova

Information Technology & Cyber ​​Security Service (STISC) - Moldova

STISC is a public institution whose purpose is to ensure the administration, maintenance and development of the information technology infrastructure in Moldova.

Jeffer Mangels Butler & Mitchell LLP (JMBM)

Jeffer Mangels Butler & Mitchell LLP (JMBM)

JMBM is a full service law firm providing counseling and litigation services in a wide range of areas including cyber security.

Balbix

Balbix

Balbix BreachControl™ is the industry’s first system to leverage specialized AI to provide comprehensive and continuous predictive assessment of breach risk.

Polaris Infosec

Polaris Infosec

Polaris Web Presence Protection (WPP) is powered by our proprietary artificial intelligence and machine learning engine to ensure that attacks are stopped before they affect your business.

Strata Identity

Strata Identity

Strata is pioneering identity orchestration to unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments.

Sectyne

Sectyne

Sectyne is a full-stack cyber consultancy committed to providing tailored services, advisory consultations, and training.

eCloudvalley Digital Technology

eCloudvalley Digital Technology

eCloudvalley Digital Technology is a born-in-the-cloud partner focused entirely on AWS services across APAC region.

Oxygen Technologies

Oxygen Technologies

Oxygen Technologies is a business systems strategy and integration company offering a variety of solutions to give our clients ways to work smarter not harder.

Cloudaeris

Cloudaeris

Cloudaeris is a trusted Microsoft Partner, and we've got what it takes to make your business more efficient and agile.

Atlas Systems

Atlas Systems

Atlas Systems helps companies large and small accelerate their digital transformation journeys – expanding their capabilities and delivering tailored solutions including cybersecurity.

Operational Systems (OpSys)

Operational Systems (OpSys)

OpSys is a leading Managed IT and Cyber Security provider protecting the critical elements of businesses across the globe.