Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Benedict Collins

Covid test lab leaks details of over a million patients online

Skull and Bones.

A leaked Covid-19 testing database which contains the personal details of an estimated 1.3 million people has been discovered online by a top security researcher.

The database, operated by Coronalab.eu which is owned by Microbe & Lab, an ISO-certified lab based in Amsterdam, Netherlands, was found without password protection and the documents within were all marked with the name and logo of the database owner.

Jeremiah Fowler, who reported the vulnerability to vpnMentor, attempted to contact CoronaLab with several responsible disclosure notices, but the database remained open until the cloud-hosting provider storing the database secured it from public access after they were made aware of the issue. It is unknown whether the database was directly managed by CoronaLab.

Data leakage, identity theft, and potentially much more

Inside the database, the full names, dates of birth and passport numbers of over a million people were discovered. The owner of the database, Microbe & Lab, is an ISO-certified lab based in Amsterdam, Netherlands.

The email addresses, test results, prices and locations of many other tests were also found within QR codes and .csv files. This information would be an absolute goldmine for a malicious actor, who could utilise the data to launch highly sophisticated Covid-19 related phishing attacks, commit fraud, or sell the data on.

A positive test certification from the CoronaLabs database with the patients full name, data of birth, and passport number. (Image credit: Jeremiah Fowler - vpnMentor)

Fowler noted in the research that it is not known who else had access to the data before it was discovered to be vulnerable, or how long it had been open to access, stating that, “only an internal forensic audit would identify if others may have accessed the database or performed any other suspicious activity. It is also unclear if customers, patients, or the authorities have been notified of the data incident.”

Fowler also pointed out that the improper storage of patient data is not only a risk to patient privacy, especially when the data is related to Covid testing but, “could also affect how patients view public healthcare providers and how much they trust them to safeguard their medical data.”

Covid is still relatively fresh in the minds of much of the world and medical researchers are still grappling with the potential long-term conditions such as ‘long Covid’. Fowler points out that the exposure of individual test results could have longer term ramifications due to the obscurity of the long term effects of the virus.

Due to the sensitivity of patient data, the Biden administration is seeking to introduce a new policy stating that medical providers must ensure that they follow the best security practices in order to secure funding.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.