Covid test lab leaks details of over a million patients online

Skull and Bones
Image Credit: Pixabay (Image credit: Pixabay)

A leaked Covid-19 testing database which contains the personal details of an estimated 1.3 million people has been discovered online by a top security researcher.

The database, operated by which is owned by Microbe & Lab, an ISO-certified lab based in Amsterdam, Netherlands, was found without password protection and the documents within were all marked with the name and logo of the database owner.

Jeremiah Fowler, who reported the vulnerability to vpnMentor, attempted to contact CoronaLab with several responsible disclosure notices, but the database remained open until the cloud-hosting provider storing the database secured it from public access after they were made aware of the issue. It is unknown whether the database was directly managed by CoronaLab.

Data leakage, identity theft, and potentially much more

Inside the database, the full names, dates of birth and passport numbers of over a million people were discovered. The owner of the database, Microbe & Lab, is an ISO-certified lab based in Amsterdam, Netherlands.

The email addresses, test results, prices and locations of many other tests were also found within QR codes and .csv files. This information would be an absolute goldmine for a malicious actor, who could utilise the data to launch highly sophisticated Covid-19 related phishing attacks, commit fraud, or sell the data on.

Positive test certificate from the CoronaLabs database

A positive test certification from the CoronaLabs database with the patients full name, data of birth, and passport number. (Image credit: Jeremiah Fowler - vpnMentor)

Fowler noted in the research that it is not known who else had access to the data before it was discovered to be vulnerable, or how long it had been open to access, stating that, “only an internal forensic audit would identify if others may have accessed the database or performed any other suspicious activity. It is also unclear if customers, patients, or the authorities have been notified of the data incident.”

Fowler also pointed out that the improper storage of patient data is not only a risk to patient privacy, especially when the data is related to Covid testing but, “could also affect how patients view public healthcare providers and how much they trust them to safeguard their medical data.”

Covid is still relatively fresh in the minds of much of the world and medical researchers are still grappling with the potential long-term conditions such as ‘long Covid’. Fowler points out that the exposure of individual test results could have longer term ramifications due to the obscurity of the long term effects of the virus.

Due to the sensitivity of patient data, the Biden administration is seeking to introduce a new policy stating that medical providers must ensure that they follow the best security practices in order to secure funding.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.

He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.

Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.