Millions of highly sensitive patient records owned by India’s prominent diagnostics company Redcliffe Labs, which serves over 2.5 million customers and offers more than 3600 wellness and illness tests, have reportedly been exposed in a cybersecurity breach discovered by cybersecurity researcher Jeremiah Fowler.
Fowler, a co-founder of Cyber Security Discovery, a security consulting firm specializing in identifying and reporting data security vulnerabilities and data leaks, disclosed that a non-password-protected database containing over 12 million records, including medical diagnostic scans, test results, and other potentially sensitive medical records, was uncovered on Wednesday.
The database contained extensive patient information, encompassing names, doctors’ names, details on whether the testing sample was conducted at home or a medical facility, and a wide range of other sensitive health information. According to Fowler, the database held a significant number of records, totaling 12,347,297, with a size of 7TB.
The breach also involved miscellaneous folders containing non-password-protected files, consisting of 3,912,445 objects and a size of 2.7 GB. These folders contained various file types, including .PDF files, internal business documents, logging records, and mobile application and development files.
Fowler promptly contacted the company responsible for the exposed data. “After further investigation, it was determined that the documents belonged to an India-based company called Redcliffe Labs. I immediately sent a responsible disclosure notice and received a reply acknowledging my discovery and thanking me for my efforts,” Fowler stated.
Public access to the database was restricted on the same day, but it remains unclear how long the database was exposed or if any unauthorized individuals accessed the purported health records.
In response to Fowler’s claims, Redcliffe Labs’ Chief Technology Officer (CTO) Prabhat Pankaj refuted the allegations, asserting that the company takes the security of its customers’ data extremely seriously. Pankaj emphasized that their infrastructure is built with the highest level of security, implementing dedicated firewalls and private Virtual Private Clouds (VPCs) for data storage, making them inaccessible to the public, even with credentials. The company also employs encryption at rest and undergoes regular information security checks.
