The database was owned by Redcliffe Labs, a popular Indian medical diagnostics company located in Noida, Uttar Pradesh.
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing over 12 million records. The data included sensitive patient data such as medical diagnostic scans, test results, and other medical records. Fowler reported his findings to WebsitePlanet.
While investigating, Fowler found that the medical test results contained extensive personal details of patients, including their names, doctors’ names, health-related details, and whether the patient had undergone at-home testing or got tested at the medical facility. These documents belonged to an Indian medical diagnostics firm, Redcliffe Labs.
The database’s total size was 7TB, and it contained around 12,347,297 records. There were folders marked “Reports” that contained 1,180,000 objects (620.5GB). Documents folder marked Smart Report Storage had 1,164,000 objects (1.5GB), the folder titled Test Results had 6,090,852 objects (2.2TB), and other folders contained miscellaneous documents like internal documents, PDFs, logs, and app files. In total, these folders had 3,912,445 objects (2.7 GB).
Apart from the vast data trove, the exposed database also contained development files from the company’s mobile app. These files control the app’s functionality and data transmission.
For your information, Redcliffe Labs is among the leading diagnostic centers in India, offering over 3600 different wellness and illness tests. According to Redcliffe Labs’ website, the facility has a user base of 2.5 million. The company offers at-home testing sample collection services in 220+ Indian cities and boasts over 2000 Walk-in Wellness and Collection Centers across the country.
Endorsing the responsible disclosure practice, Fowler contacted the company, who responded swiftly. According to Folwer’s blog post, the database’s public access was restricted on the same day. However, it is unclear for how long this database remained exposed and whether any unauthorized individual had accessed it.
Such breaches can have far-reaching consequences for the patients, as they may be exposed to identity theft, medical fraud, and extortion. If mobile app-related data gets into the wrong hands, cybercriminals can exploit it to launch cyberattacks, disrupt the app’s functionality, and jeopardize mobile users’ security.
The biggest risk factor is the exposure of application code, which threat actors can manipulate to inject malicious code and compromise the app, add unauthorized features, and inject malware. The exposure can put millions at risk because the exposed code can be used to assess/reverse engineer the app to reveal vulnerabilities, leading to further exploitation.
Redcliffe Labs has not clarified if it has notified relevant authorities or the impacted individuals about the data exposure. Also, there’s no indication that the company’s mobile app is compromised or someone had already accessed patient data before it was restricted. Hackread.com will post an update once the company shares more details on this incident.
More Findings by Jeremiah Fowler
- Z2U Market Leak Exposes Access to Illicit Services and Malware
- Researcher Exposes Cryptocurrency Scam Network of 300 Domains
- Brazil’s Top Escort Service Exposes Millions of Escort and Client Data
- Database Mess Up Exposed PII and Photos of 2.3M Dating App Users
- Major CRM Provider Really Simple Systems Leaked 3M Customer Records
- Data Leak Exposes 572 GB of Student, Faculty Info from Accreditation Org
- Contractor Database Leak Exposes 500K Irish Police Vehicle Seizure Records