’12 million patient records exposed’: Researcher claims Redcliffe Labs hit by cyber attack; Company says ‘no data breach’

A cybersecurity expert has claimed that diagnostics service provider, Redcliffe Labs, has been hit by a cyber attack that exposed over 12 million patient records.

The expert, Jeremiah Fowler, has revealed that the database was non-password-protected and it contained over 12 million records containing medical diagnostic scans, test results, and other potentially sensitive medical records.

Moreover, Fowler has claimed that this data breach can lead to misuse of private health information, medical identity theft and ransomware attacks.

“The database contained a massive amount of medical test results that included the names of patients, doctors, if the testing sample was done at home or at a medical facility, and a wide range of other sensitive health information. The total number of records was significant, at a count of 12,347,297 with a total size of 7TB. Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs. I immediately sent a responsible disclosure notice, and I received a reply acknowledging my discovery and thanking me for my efforts. Public access was restricted the same day, but it is unclear how long the database was exposed or if any unauthorized individuals accessed the purported health records,” Fowler said in his report that he sent to WebsitePlanet.

He also stated that although their website reveals that although the company’s website claims that they have 2.5 million customers, a folder in the database named “test results” contained over 6 million PDF documents. “This could indicate either that far more customers were potentially affected or that perhaps these were multiple tests from repeat customers,” he stated.

It is noteworthy that Fowler has also shared images of some of the documents that he found during his investigation like the patient’s X-ray report that includes the patient’s PII such as their date of birth, an internal reimbursement document, which discloses the employees’ names, office or travel location, and other information, a blood test that contained the name of the patient, the patient’s ID number, detailed health data, doctor’s name, and other test-related information among others.

Meanwhile, Fowler also revealed that in addition to the millions of medical records, the database also contained development files from their mobile application.

“Exposed application files can potentially represent a significant risk in the wrong hands. These files control the functionality of an application and even the data transmitted from the user to the host server. Malicious actors could potentially use this information or files to carry out various cyberattacks and compromise user data, application functionality, or the security of the mobile device itself,” he stated.

He also shared that one of the biggest possible risks is the manipulation or modification of the application’s code files.

“To clarify, there’s no indication or suggestion that the Redcliffe Labs app is vulnerable or has been compromised in any way. The concerns outlined here are general in nature and highlight the potential ramifications of source code exposure in any app,” he added.

As of the time of this publication, it is not known if Redcliffe Labs has notified the proper authorities or the potentially affected individuals regarding the data exposure, he stated.

“Furthermore, I do not imply or claim any wrongdoing by Redcliffe Labs, nor do I claim that patients or users’ health data was ever at imminent risk or accessed by any other outside individuals. It would require a thorough investigation, potentially including a forensic audit, to identify who else may have had access to the millions of publicly exposed health records and internal information,” he said.

Financial Express.com reached out to the diagnostics company and they maintained that “there isn’t any data breach.”

“At Redcliffe Labs, we take the security of our customers’ data extremely seriously and thus all our infrastructure is built to secure this at the highest level. In our lab and other IT environment, we’ve implemented dedicated firewalls to secure the IT infrastructure, even in non-production settings. This is also to address that there isn’t any data breach that has happened at Redcliffe Labs. For us, security isn’t just about the end result; it’s about every step in the process. We’d like to emphasise that all our databases are stored within private VPCs, making them inaccessible to the public, even with credentials,” Pabhat Pankaj, CTO, Redcliffe told Financial Express.com in a statement shared over WhatsApp.

Pankaj claimed that they are further safeguarded by encryption at rest.

“Our commitment to security is demonstrated by a robust security framework, including endpoint protection, vulnerability assessments, cloud security, and database encryption. We have undergone various information security checks, VAPT and other independent third-party assessments from time to time with the most recent audit concluded in September 2023. Rest assured, our dedication to cybersecurity is unwavering, and we continue to invest in cutting-edge technology to protect our Customer’s information,” he told Financial Express.com.

According to Fowler, the healthcare industry has always been a prime target for cyberattacks due to the valuable nature of the data it holds.

“While credit cards, identification documents, and other records have an expiration date, personal health data is non-perishable and is particularly valuable to criminals. On the darkweb, healthcare records can sell for as much as 1,000 USD each; credit card data, for comparison, usually sells for 5 USD,” he revealed.