A significant data breach was uncovered at Redcliffe Labs, a leading Indian diagnostic service provider, where over 12 million healthcare records, including medical diagnostic scans, test results, and patient information, were left unprotected without password security.
Cybersecurity expert Jeremiah Fowler, who found the data trove, alerted Redcliffe Labs, following which the firm, promptly secured the database the same day. This incident raises serious concerns about data protection measures and the potential misuse of such sensitive records.
Redcliffe Labs provides a range of healthcare services, encompassing diabetes, cancer, genetic testing, HIV, pregnancy, and additional medical areas.
12 Million Redcliffe Labs Records Exposed!
The database from Redcliffe Labs not only contained patient data, but also the names of the attending doctors. The records, exceeding 12 million in number, revealed whether the samples were collected at patients’ homes or directly at Redcliffe Labs. The breach led to a staggering 7 terabytes of data being left unprotected.
The exposed 7TB Redcliffe Labs database contained a total of 12,347,297 records.
The other details in the exposed Redcliffe Labs records were as follows:
- A folder named test results with over 6 million PDF documents.
- Reports with 1,180,000 objects amounting to 620.5GB.
- Another set of documents with 1,164,000 objects amounting to 1.5Tb data.
- A test results folder with 6,090,852 objects amounting to 2.2TB.
- Miscellaneous folders with 3,912,445 objects amounting to 2.7Gb data.
The miscellaneous folder was a collection of PDF files, internal business documents, and development files. It also contained logging records and mobile application details.
The mobile application of Redcliffe Labs was also exposed which could be misused to affect the functionality and data sharing between the diagnostic centre and patients.
Notifying Redcliffe Labs of the 7TB Data Breach
Addressing the discovery of the exposed Redcliffe Labs records, the cybersecurity researcher wrote in a report, “Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs.”
“I immediately sent a responsible disclosure notice, and I received a reply acknowledging my discovery and thanking me for my efforts,” Jeremiah further added.
Although the exposed Redcliffe Labs records were secured by changing the settings to restrict public access, it is unclear if hackers had already pilfered sensitive data and launched social engineering attacks using the records of patients.
It is not known how long the exposed Redcliffe Labs records were left that way.
Since its inception in 2018, Redcliffe Labs has expanded its operations to include over 60 laboratories and more than 2000 wellness and collection centers across India.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.