Skip links

COVID-19 test lab accused of exposing 1.3 million patient records to open internet

A password-less database containing an estimated 1.3 million sets of Dutch COVID-19 testing records was left exposed to the open internet, and it’s not clear if anyone is taking responsibility.

Among the information revealed in the publicly accessible and seemingly insecurely configured database were 118,441 coronavirus test certificates, 506,663 appointment records, 660,173 testing samples and “a small number” of internal files. A bevy of personally identifiable information was included in the records – including patient names, dates of birth, passport numbers, email addresses, and other information.  

The leaky database was discovered by perennial breach sniffer Jeremiah Fowler, who reckoned it belongs to one of the Netherlands’ largest commercial COVID-19 test providers, CoronaLab – a subsidiary of Amsterdam-based Microbe & Lab. The US Embassy in the Netherlands lists CoronaLab as one of its recommended commercial COVID-19 test providers in the country. 

If someone with malicious intent managed to find the database they could do some serious damage, Fowler warned. 

“Criminal[s] could potentially reference test dates, locations, or other insider information that only the patient and the laboratory would know,” he wrote. “Any potential exposure involving COVID test data combined with PII could potentially compromise the personal and medical privacy of the individuals listed in the documents.” 

Will the responsible party please stand up?

The CoronaLab data exposure report reads in many ways like any other accidental data exposure news: It was found, and now the offending database is offline. But this one isn’t that simple.

According to Fowler, no-one at CoronaLab or Microbe & Lab ever responded to his repeated attempts to reach out and inform them of the exposure. 

“I sent multiple responsible disclosure notices and did not receive any reply, and several phone calls also yielded no results,” Fowler claimed. “The database remained open for nearly three weeks before I contacted the cloud hosting provider and it was finally secured from public access.” 

The Register has asked Microbe & Lab to get more information about the incident – and we haven’t heard back either. 

Without more information from Microbe & Lab or CoronaLab itself, it’s impossible to know how long the database was actually exposed online. The CoronaLab website is down as of this writing – it’s not clear if the outage is related to the database exposure, or if the service will be brought back online. 

Because no-one at the organization whose records were exposed can be reached, it’s also not clear if customers or patients are aware that their data was exposed online. Nor, importantly, do we know if European data protection authorities have been informed.

Per article 33 of the EU General Data Protection Regulation (GDPR), data breaches must be reported to local officials within 72 hours of detection, and notifications also have to be made to affected individuals. We reached out to the Dutch Data Protection Authority to learn if it had been notified of the CoronaLab data exposure, and didn’t immediately hear back. ®