On Wednesday Ukraine-based Cybersecurity Researcher Jeremiah Fowler discovered and reported a non-password-protected database that contained over 12 million records containing medical diagnostic scans, test results, and other potentially sensitive medical records. Fowler claimed that the documents were marked as belonging to an India-based company called Redcliffe Labs.
According to a report by Fowler, the database contained a significant amount of medical test results that included the names of patients, doctors, if the testing sample was done at home or at a medical facility, and a wide range of other sensitive health information. The total number of records was significant, at a count of 12,347,297 with a total size of 7 terabytes.
"I immediately sent a responsible disclosure notice, and I received a reply acknowledging my discovery and thanking me for my efforts. Public access was restricted the same day, but it is unclear how long the database was exposed or if any unauthorised individuals accessed the purported health records," Fowler said in a report
As per Fowler's report in addition to the millions of medical records, the database also contained development files from Redcliffe's mobile application.
"Exposed application files can potentially represent a significant risk in the wrong hands. These files control the functionality of an application and even the data transmitted from the user to the host server," the report said.
Fowler said that malicious actors could potentially use this information or files to carry out various cyberattacks and compromise user data, application functionality, or the security of the mobile device itself.
"Cybercriminals gaining access to a user’s health and medical testing data could result in serious privacy violations. Additionally, exposed code or resource files can hypothetically be used to reverse engineer, analyze, or decompile the application to see how it functions. This could possibly lead to identifying additional vulnerabilities and weaknesses that can later be exploited," Fowler added in his report.
Fowler clarified that there’s no indication or suggestion that the Redcliffe Labs app is vulnerable or has been compromised in any way with the concerns outlined being general in nature and highlighting the potential ramifications of source code exposure in any app.
Redcliffe Says No Data Breach
Redcliffe Labs has denied any data breaches, and the company's CTO Prabhat Pankaj in a response to a query sent by BW Healthcare World said that there isn't any data breach that has happened at Redcliffe Labs adding that the company keeps its databases stored within private virtual private clouds (VPCs), making them inaccessible to the public, even with credentials
"They are further safeguarded by encryption at rest. Our commitment to security is demonstrated by a robust security framework, including endpoint protection, vulnerability assessments, cloud security, and database encryption. We have undergone various information security checks, VAPT and other independent third-party assessments from time to time with the most recent audit concluded in September 2023," Pankaj clarified.
Redcliffe Labs is one of India’s largest diagnostic centres. It offers more than 3600 wellness and illness tests. Users can receive medical diagnosis services at home, at medical facilities, and online via a mobile application. These services include full-body checkups at home, blood testing, diabetes tests, joint care, vitamin tests, and specialised testing services for cancer, genetics, HIV, pregnancy, and many others.
According to their website, they have 2.5 million customers. However, a folder in the database named “test results” contained over 6 million PDF documents. This could indicate either that far more customers were potentially affected or that perhaps these were multiple tests from repeat customers, the report by Fowler claimed.
"At Redcliffe Labs, we take the security of our customers' data extremely seriously and thus all our infrastructure is built to secure this at the highest level. In our lab and other IT environment, we've implemented dedicated firewalls to secure the IT infrastructure, even in non-production settings," Pankaj maintained.
Redcliffe Labs is present in more than 220 cities with 80 Labs and 2000 Walk-in Wellness and Collection Centres across India.