The Covid-19 testing platform, Coronalab.eu, has exposed a database containing 11.8 million patient records, including Covid-19 certificates, test records, passport numbers, and other sensitive details, according to a report in Cybernews.
Coronalab.eu, a Dutch online platform for Covid-19 testing, left a misconfigured Google Cloud Storage bucket with 1.7 million files, covering 11.7 million records on individuals from 44 countries, the Cybernews researchers find.
Researchers claim that among the nearly two million exposed files, they have discovered 120,000 Covid certificates in QR code formats and 32,000 comma-separated values (CSV) files with over 11.7 million Covid test results.
The exposed documents cover a period from 2020 until 2022. The leak exposed a trove of sensitive and personally identifiable user data, including:
- Patients’ names
- Nationality
- Dates of birth
- Passport numbers
- Covid test results
- Email addresses
- Phone numbers
- Destination country if the test was taken for travelling reasons
According to the team, most leaked data likely belonged to Dutch nationals, as almost 89% of total leaked phone numbers came from the Netherlands. A further 1.5% were UK-based, 1.2% were from the USA, 0.8% were from Germany, and 0.8% were from Italy.
“Information security principles, particularly confidentiality, are critical in healthcare. A leak of coronavirus test results indicates a breach of confidentiality, indicating a failure in safeguarding sensitive medical information,” the researchers say.
They add that, since the Netherlands is governed by European Union law, the General Data Protection Regulation (GDPR) applies to how companies handle data. Meanwhile, sharing personal information, such as an individual’s name, address, date of birth, or other contact details without consent, could be considered a GDPR violation.
Company advised to review access, consider encryption
To mitigate the problems and avoid similar issues in the future, the research team advise that platform operators:
- Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorised users or services have the necessary access.
- Conduct a thorough audit of the access controls for the bucket. Review IAM (Identity and Access Management) policies and permissions assigned to users and service accounts. Make sure that the principle of least privilege is followed.
- Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorised actors.
- Consider encrypting both data in transit and data at rest. Features like server-side encryption offered by Google Cloud Storage can improve the security of the data that is stored.
- Consider implementing security best practices, including regular audits, automated security checks, and employee training.