An unsecured database belonging to a Netherlands-based medical laboratory, Coronalab.eu, was found exposed on the internet, revealing 1.3 million records, including COVID test results and personal identifiable information. Security researcher Jeremiah Fowler discovered the trove, which lacked password protection, and contained documents marked with Coronalab.eu’s name and logo. The exposed records included certificates, appointments, testing samples, and internal application files. Despite Fowler’s attempts to contact Microbe & Lab, the owner of Coronalab.eu, about the exposure, no response was received, and the data remained exposed until Google, the host, was contacted.
The exposed database, detected by security researcher Jeremiah Fowler, contained approximately 1.3 million records, including COVID test results and personal information. The documents were marked with the name and logo of Coronalab.eu, owned by Microbe & Lab, a medical laboratory based in Amsterdam. The records exposed included certificates, appointments, testing samples, and a small number of internal application files. The leaked COVID test records contained patient names, nationality, passport numbers, test results, pricing information, test locations, and types of tests conducted.
The exposure raised concerns as the database contained sensitive information, including COVID test results, and was left unsecured for an unknown duration. Fowler discovered the unsecured database and attempted to contact Microbe & Lab without receiving a response. The data remained exposed until Google, the host, was contacted. The incident highlights the importance of securing healthcare databases, especially during the COVID era, where testing and medical institutions may not have been prepared for the massive influx of data.
The incident underscores the vulnerability of healthcare entities and the potential consequences of misconfigurations leading to data exposure. Security researchers stress the need for organizations to understand their responsibilities, especially regarding technical configurations, when using cloud computing services. Misconfigurations leading to health data breaches have become more common, emphasizing the importance of proactive monitoring, regular audits, and proper configuration of cloud resources. Instances like these may lead to regulatory fines and lawsuits, highlighting the significance of securing sensitive health data to protect patient privacy.
