Covid test lab leaks details of over a million patients online
Unsecured data included names, dates of birth, and passport numbers
A leaked Covid-19 testing database which contains the personal details of an estimated 1.3 million people has been discovered online by a top security researcher.
The database, operated by Coronalab.eu which is owned by Microbe & Lab, an ISO-certified lab based in Amsterdam, Netherlands, was found without password protection and the documents within were all marked with the name and logo of the database owner.
Jeremiah Fowler, who reported the vulnerability to vpnMentor, attempted to contact CoronaLab with several responsible disclosure notices, but the database remained open until the cloud-hosting provider storing the database secured it from public access after they were made aware of the issue. It is unknown whether the database was directly managed by CoronaLab.
Data leakage, identity theft, and potentially much more
Inside the database, the full names, dates of birth and passport numbers of over a million people were discovered. The owner of the database, Microbe & Lab, is an ISO-certified lab based in Amsterdam, Netherlands.
The email addresses, test results, prices and locations of many other tests were also found within QR codes and .csv files. This information would be an absolute goldmine for a malicious actor, who could utilise the data to launch highly sophisticated Covid-19 related phishing attacks, commit fraud, or sell the data on.
Fowler noted in the research that it is not known who else had access to the data before it was discovered to be vulnerable, or how long it had been open to access, stating that, “only an internal forensic audit would identify if others may have accessed the database or performed any other suspicious activity. It is also unclear if customers, patients, or the authorities have been notified of the data incident.”
Fowler also pointed out that the improper storage of patient data is not only a risk to patient privacy, especially when the data is related to Covid testing but, “could also affect how patients view public healthcare providers and how much they trust them to safeguard their medical data.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Covid is still relatively fresh in the minds of much of the world and medical researchers are still grappling with the potential long-term conditions such as ‘long Covid’. Fowler points out that the exposure of individual test results could have longer term ramifications due to the obscurity of the long term effects of the virus.
Due to the sensitivity of patient data, the Biden administration is seeking to introduce a new policy stating that medical providers must ensure that they follow the best security practices in order to secure funding.
More from TechRadar Pro
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.