Dr Lal PathLabs left the data of millions of patients exposed on a public server, TechCrunch reported. Exposed data includes details about patient bookings, names, addresses, gender, date of birth, phone numbers, and details of which tests the patients had availed. Dr Lal PathLabs, one of the largest diagnostic labs in the country with 200 laboratories nationwide, is also a government certified private laboratory for carrying out diagnostic tests for COVID-19 in several states. Some of the exposed records also contained additional remarks, such as whether the patient had tested positive for COVID-19. The company had stored hundreds of large spreadsheets with patient data in a storage bucket hosted on Amazon Web Services without password protection, allowing immediate access to whoever discovered the bucket. Dr Lal PathLabs said the incident involved "less than 0.5% of our records and was immediately fixed" (see their full statement below). An Australian security expert, Sami Toivonen, found the exposed bucket and revealed the extent of the breach. He informed Dr Lal PathLabs in September, which took down access, per the TC report. It's not known for how long the bucket was exposed. The exposure's extent and nature is serious, especially given that it included COVID-related data of some customers. Consider a case wherein a customer on this list indeed has COVID-19, which by now is proven to cause long-term cardiovascular issues in some people. Could an insurance company charge such a person, who once was infected with the virus, a higher premium? Health data…
