A large open database was uncovered at Redcliffe Labs, a leading Indian diagnostic service provider, where over 12 million healthcare records, including medical diagnostic scans, test results, and patient information, were left unprotected without password security.
Cybersecurity expert Jeremiah Fowler, who found the data trove, alerted Redcliffe Labs, following which the firm, promptly secured the database the same day. This incident raises serious concerns about data protection measures and the potential misuse of such sensitive records.
Redcliffe Labs provides a range of healthcare services, encompassing diabetes, cancer, genetic testing, HIV, pregnancy, and additional medical areas.
In response to the query by The Cyber Express, Redcliffe Labs confirmed that the data was not breached, and even with credentials, it was inaccessible to the public. Prabhat Pankaj, the Chief Technology Officer of Redcliffe, responded by asserting that the company had not experienced any data breach on their part.
“We’d like to emphasise that all our databases are stored within private VPCs, making them inaccessible to the public, even with credentials,” Prabhat said. “They are further safeguarded by encryption at rest,” he said.
Highlighting the diagnostic center’s commitment to security, Prabhat conveyed to The Cyber Express that they have implemented a solid security infrastructure. This framework combines endpoint protection, thorough vulnerability assessments, cloud security measures, and robust database encryption to ensure data safety.
He further added that they have undergone various information security checks, VAPT, and third-party assessments, with the most recent audit concluded in September 2023. He also assured that Redcliffe Labs invests in cutting-edge technology to protect customer data.
12 Million Redcliffe Labs Records Exposed!
The database from Redcliffe Labs not only contained patient data, but also the names of the attending doctors. The records, exceeding 12 million in number, revealed whether the samples were collected at patients’ homes or directly at Redcliffe Labs. The exposure led to a staggering 7 terabytes of data being left unprotected.
The exposed 7TB Redcliffe Labs database contained a total of 12,347,297 records.
The other details in the exposed Redcliffe Labs records were as follows:
- A folder named test results with over 6 million PDF documents.
- Reports with 1,180,000 objects amounting to 620.5GB.
- Another set of documents with 1,164,000 objects amounting to 1.5Tb data.
- A test results folder with 6,090,852 objects amounting to 2.2TB.
- Miscellaneous folders with 3,912,445 objects amounting to 2.7Gb data.
The miscellaneous folder was a collection of PDF files, internal business documents, and development files. It also contained logging records and mobile application details.
The mobile application of Redcliffe Labs was also exposed which could be misused to affect the functionality and data sharing between the diagnostic centre and patients.
Notifying Redcliffe Labs of the 7TB Database
Addressing the discovery of the exposed Redcliffe Labs records, the cybersecurity researcher wrote in a report, “Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs.”
“I immediately sent a responsible disclosure notice, and I received a reply acknowledging my discovery and thanking me for my efforts,” Jeremiah further added.
Although the exposed Redcliffe Labs records were secured by changing the settings to restrict public access, it is unclear if hackers had already pilfered sensitive data and launched social engineering attacks using the records of patients.
It is not known how long the exposed Redcliffe Labs records were left that way.
Since its inception in 2018, Redcliffe Labs has expanded its operations to include over 60 laboratories and more than 2000 wellness and collection centers across India.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
