Noida-based Redcliffe Labs exposes over 12 mn patient records, claims researcher

Millions of highly sensitive patient records owned by Redcliffe Labs, a diagnostics company based in Noida India, have reportedly been exposed in a recent cyber breach incident. 

Jeremiah Fowler, a cybersecurity researcher and co-founder of Cyber Security Discovery, a security consulting firm specialising in identifying and reporting data security vulnerabilities and data leaks, claims that on Wednesday, a non-password protected database containing over 12 million records, including medical diagnostic scans, test results, and other potentially sensitive medical records, was discovered. 

The database contained medical test results that included patient names, doctors' names, information on whether the testing sample was done at home or at a medical facility, and a wide range of other sensitive health information. The total number of records was significant, with a total of 12,347,297 records and a size of 7TB, the researcher said.  

The breach involved miscellaneous folders containing non-password protected files, with a total of 3,912,445 objects and a size of 2.7 GB. These folders included .PDF files, internal business documents, logging records, and mobile application and development files. 

"After further investigation, it was determined that the documents belonged to an India-based company called Redcliffe Labs. I immediately sent a responsible disclosure notice, and I received a reply acknowledging my discovery and thanking me for my efforts," said Fowler. Public access to the database was restricted on the same day, but it is unclear how long the database was exposed or if any unauthorised individuals accessed the purported health records, he added. 

The diagnostic lab however refuted the researcher's claim. Redcliffe’s Chief Technology Officer (CTO) Prabhat Pankaj, told TechCircle, "At Redcliffe Labs, we take the security of our customers' data extremely seriously and thus all our infrastructure is built to secure this at the highest level. In our lab and other IT environment, we've implemented dedicated firewalls to secure the IT infrastructure, even in non-production settings. We'd like to emphasise that all our databases are stored within private VPCs, making them inaccessible to the public, even with credentials. They are further safeguarded by encryption at rest."

He added that the company has undergone various information security checks, VAPT, and other independent third-party assessments from time to time. The most recent audit was concluded in September this year.

Redcliffe Labs is one of India's largest diagnostic centers, offering over 3600 wellness and illness tests. According to their website, Redcliffe Labs has 2.5 million customers. However, a folder in the database named "test results" contained over 6 million PDF documents. This could indicate that far more customers were potentially affected or that these were multiple tests from repeat customers. Redcliffe Labs further has a home sample collection service in more than 220 cities, 80 labs, and 2000 walk-in wellness and collection centers across India, according to their website. 

While investigations are going on in this case, there is no doubt that the recent breaches of health data are particularly concerning, digital experts said, as they leave individuals vulnerable to scams, harassment, and discrimination without remedy in the absence of a data protection law in the country. 

In September, the official website of the Ministry of Ayush in Jharkhand was reportedly breached and has exposed over 3.2 lakh patient records on the dark web, cybersecurity researchers from CloudSEK said, stating that the website's database, amounting to 7.3 MB, holds patient records that include personally identifiable information (PII) and medical diagnoses. 

India has been the biggest target for cyber-attacks after the United States since 2021, with nearly 500 attacks in 2022 alone, according to cybersecurity firm CloudSEK. A separate study by NordVPN, a virtual private network service provider, showed India was the worst hit by data breaches, with some 600,000 people having had their data stolen and sold on bot markets by hackers. 

According to the 2023 IBM report published in June, India Inc’s average cost of data breaches reached ₹17.9 crore in 2023 – a 28 percent increase since 2020. Researchers believe this increase indicates a shift towards more intricate and complex breach investigations.