COVID-19 test lab accused of exposing 1.3 million patient records to open internet

A password-less database containing an estimated 1.3 million sets of Dutch COVID-19 testing records was left exposed to the open internet, and it's not clear if anyone is taking responsibility.

Among the information revealed in the publicly accessible and seemingly insecurely configured database were 118,441 coronavirus test certificates, 506,663 appointment records, 660,173 testing samples and "a small number" of internal files. A bevy of personally identifiable information was included in the records – including patient names, dates of birth, passport numbers, email addresses, and other information.  

The leaky database was discovered by perennial breach sniffer Jeremiah Fowler, who reckoned it belongs to one of the Netherlands' largest commercial COVID-19 test providers, CoronaLab – a subsidiary of Amsterdam-based Microbe & Lab. The US Embassy in the Netherlands lists CoronaLab as one of its recommended commercial COVID-19 test providers in the country. 

If someone with malicious intent managed to find the database they could do some serious damage, Fowler warned. 

"Criminal[s] could potentially reference test dates, locations, or other insider information that only the patient and the laboratory would know," he wrote. "Any potential exposure involving COVID test data combined with PII could potentially compromise the personal and medical privacy of the individuals listed in the documents." 

Will the responsible party please stand up?

The CoronaLab data exposure report reads in many ways like any other accidental data exposure news: It was found, and now the offending database is offline. But this one isn't that simple.

According to Fowler, no-one at CoronaLab or Microbe & Lab ever responded to his repeated attempts to reach out and inform them of the exposure. 

"I sent multiple responsible disclosure notices and did not receive any reply, and several phone calls also yielded no results," Fowler claimed. "The database remained open for nearly three weeks before I contacted the cloud hosting provider and it was finally secured from public access." 

The Register has asked Microbe & Lab to get more information about the incident – and we haven't heard back either. 

• Indonesian authorities probe million-record leak from national COVID app
• Nearly a million non-profit donors' details left exposed in unsecured database
• Irish cops data debacle exposes half a million motorist records
• NHS Digital booking website had unexpected side effect: It leaked people's jab status

Without more information from Microbe & Lab or CoronaLab itself, it's impossible to know how long the database was actually exposed online. The CoronaLab website is down as of this writing – it's not clear if the outage is related to the database exposure, or if the service will be brought back online. 

Because no-one at the organization whose records were exposed can be reached, it's also not clear if customers or patients are aware that their data was exposed online. Nor, importantly, do we know if European data protection authorities have been informed.

Per article 33 of the EU General Data Protection Regulation (GDPR), data breaches must be reported to local officials within 72 hours of detection, and notifications also have to be made to affected individuals. We reached out to the Dutch Data Protection Authority to learn if it had been notified of the CoronaLab data exposure, and didn't immediately hear back.

On January 29, we received a response from a Coronalab spokesperson who told us, "In response to an external report by a security researcher, we immediately started an investigation and found that unlawful access was gained to a backup of data via a former IT supplier. Immediate action was taken and a report has been made to the Dutch Data Protection Authority and we are currently notifying those who may be affected with an explanation of what has happened, what actions we have taken and the possible consequences for them. We regret the situation and are implementing even stricter measures on the current IT suppliers, so that they comply with the agreements made and these types of incidents are prevented in the future."

They added: "We are currently not aware of any misuse of the exposed data. Our coronalab website has been down since last year when we stopped testing COVID, this is also the reason why emails sent to this email address haven't been read nor replied for the past time." ®