137 views 47 secs 0 comments

COVID Test Data Breach: 1.3 Million Patient Records Exposed Online

In Data Breach News, Healthcare
January 22, 2024

Jeremy Fowler reports:

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained nearly 1.3 million records, which included COVID-19 testing information and personally identifiable information such as the patient’s name, date of birth, and passport number.

The publicly exposed database contained an estimated 1.3 million records that included 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files. The exposed certificates and other documents were all marked with the name and logo of Coronalab.eu. Although the website appears to be offline, Coronalab is owned by Microbe & Lab, an ISO-certified laboratory based in Amsterdam, Netherlands. According to the NL Times, “CoronaLab is one of the two largest commercial test providers in the Netherlands”. I sent multiple responsible disclosure notices and did not receive any reply and several phone calls also yielded no results. The database remained open for nearly 3 weeks before I contacted the cloud hosting provider and it was finally secured from public access. In most cases the organization replies or closes public access immediately after receiving a responsible disclosure notice. Another research-based online publication, Cybernews, claimed to have found a similar leak around the same time of my discovery. I cannot confirm if it’s related or not.

Read more at vpnMentor.