A cybersecurity researcher has claimed to have detected a data breach of Redcliffe Labs, one of India’s largest diagnostic centers, which has allegedly exposed 12 million patient records.
Jeremiah Fowler says he has discovered and reported about the non-password protected database that contained over 12 million records containing medical diagnostic scans, test results, and other potentially sensitive medical records, WebsitePlanet claimed in a mail to the IPP Catlog Publications, publisher of B2B platforms HealthTekPak, Packaging South Asia, Indian Printer & Publisher and IndiFoodBev.
The IPP Group could not independently verify the allegations also reported by other media houses.
The database contained a massive amount of medical test results that included the names of patients, doctors, if the testing sample was done at home or at a medical facility, and a wide range of other sensitive health information, Fowler wrote on WebsitePlanet.
“The total number of records was significant, at a count of 12,347,297 with a total size of 7TB. Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs. I immediately sent a responsible disclosure notice, and I received a reply acknowledging my discovery and thanking me for my efforts. Public access was restricted the same day, but it is unclear how long the database was exposed or if any unauthorized individuals accessed the purported health records,” Fowler said.
Redcliffe Labs is one of India’s largest diagnostic centers. It offers more than 3600 wellness and illness tests. Users can receive medical diagnosis services at home, at medical facilities, and online via a mobile application. These services include full-body checkups at home, blood testing, diabetes tests, joint care, vitamin tests, specialized testing services for cancer, genetics, HIV, pregnancy, and many others, he wrote.
“According to their website, they have 2.5 million customers. However, a folder in the database named ‘test results’ contained over 6 million PDF documents. This could indicate either that far more customers were potentially affected or that perhaps these were multiple tests from repeat customers,” Fowler said.
Breakdown of the records as claimed by Fowler:
- 12,347,297 total records were contained in the database with a total size of 7 TB
- Documents marked as ‘Reports’: Total number of objects 1,180,000 with a total size of 620.5 GB. *These were test results and appeared to be in a basic form without a header logo.
- Smart Report Storage: Total number of objects 1,164,000 with a total size of 1.5 TB. These documents showed the test results in an info-graphic style.
- Folder named ‘Test results’: Total number of objects 6,090,852 with a total size of 2.2 TB
- Miscellaneous folders containing non-password protected files: Total number of objects 3,912,445 with a total size of 2.7 GB. These folders included .PDF files, internal business documents, logging records, mobile application and development files.
Financial Express.com reported Pabhat Pankaj, CTO, Redcliffe, as saying that there is no data breach.
“At Redcliffe Labs, we take the security of our customers’ data extremely seriously and thus all our infrastructure is built to secure this at the highest level. In our lab and other IT environment, we’ve implemented dedicated firewalls to secure the IT infrastructure, even in non-production settings. This is also to address that there isn’t any data breach that has happened at Redcliffe Labs. For us, security isn’t just about the end result; it’s about every step in the process. We’d like to emphasise that all our databases are stored within private VPCs, making them inaccessible to the public, even with credentials,” Pabhat Pankaj, CTO, Redcliffe told Financial Express.com.