Medical data leaks have increased in the COVID-19 era. During the pandemic, data protection and privacy concerns took center stage as governments and organizations worldwide implemented various overreaching measures to control the spread of the virus.
The database that had its data leaked was operated by CoronaLab, which is owned by Microbe & Lab, an ISO-certified lab based in Amsterdam, the Netherlands.
The leak was discovered on Jan. 22 by security researcher Jeremiah Fowler, who found that the database did not have password protection and the documents within were all marked with the name and logo of the database owner.
Fowler attempted to contact CoronaLab with several responsible disclosure notices, but the database remained open until the cloud-hosting provider storing the database secured it from public access after they were made aware of the issue. It is unknown whether the database was directly managed by CoronaLab.
The digital certificates indicated an individual’s vaccination status and, in many cases, were required for access to public spaces, travel, and certain services. This move marked a drastic shift in the way personal health information was used and shared, raising serious concerns about data privacy and surveillance. Aside from that, constant mandatory testing opened up new ways that people's data could be collected and shared.
CoronaLab is one of the Netherlands' largest COVID-19 test providers and the lack of proper security infrastructure in place for the 1.3 million sets of coronavirus testing records in its system which were potentially compromised. This database contained an alarming variety of vital personal information including patient names, passport numbers, email addresses, and other data.
Fowler found 118,441 test certificates, 660,173 testing samples, 506,663 appointment logs, and several internal files on the open internet, which, if sourced by a nefarious actor, could lead to significant privacy infringement.
"Criminal[s] could potentially reference test dates, locations, or other insider information that only the patient and the laboratory would know," Jeremiah Fowler commented.
The email addresses, test results, prices and locations of many other tests were also found within QR codes and .csv files. This information would be an absolute goldmine for a malicious actor, who could utilize the data to launch highly sophisticated COVID-19-related phishing attacks, commit fraud, or sell the data on.
Fowler noted in the research that it is not known who else had access to the data before it was discovered to be vulnerable, or how long it had been open to access, stating that, "only an internal forensic audit would identify if others may have accessed the database or performed any other suspicious activity. It is also unclear if customers, patients, or the authorities have been notified of the data incident."
Fowler also pointed out that the improper storage of patient data is not only a risk to patient privacy, especially when the data is related to COVID testing but, "could also affect how patients view public healthcare providers and how much they trust them to safeguard their medical data."
Due to the sensitivity of patient data, the Biden administration is seeking to introduce a new policy stating that medical providers must ensure that they follow the best security practices to secure funding.
Visit PrivacyWatch.news for more stories about data leaks.
Watch this video from "InfoWars Side Band" discussing how 2023 became a record year for data breaches in the United States.
This video is from the InfoWarSSideBand channel on Brighteon.com.
Postal Service accused of sharing private info of 68M households obtained from COVID-19 tests.
Whistleblower claims NHS EUTHANIZED PATIENTS to inflate COVID-19 pandemic death toll
Sources include: