Health Website Leaks 8 Million COVID-19 Test Results

A teenaged ethical hacker discovered a flawed endpoint associated with a health-department website in the state of Bengal, which exposed personally identifiable information related to test results.

Yet another human-related error — this time a flaw in a health department website in the state of Bengal, India — has exposed the confidential results of COVID-19 tests as well as personally identifying information (PII) for an entire geographic region’s population.

Test results related to more than 8 million people potentially were exposed before the agency fixed the error, according to a security researcher.

Sourajeet Majumder, a teenaged ethical hacker in India, noticed a flaw in the structure of a URL in a text informing someone of their test result from Bengal health authorities. It included a pathway for finding other people’s test results, according to a report in BleepingComputer. The error was eventually traced back to a faulty endpoint at the Health and Family Welfare Department of the state of West Bengal, according to the report.

Specifically, the structure of a URL in the text of the message just before providing the test result comprised a base64-encoded report ID number, which a threat actor could decode to construct new sets of URLs that would enable access to other test results, Majumder told the publication. In the case of the example shown in the report, the text “The Covid-19 Test Result of [Name]” was followed by the text “SRF ID 193” before showing the result as “negative.”

Majumder did some investigating and realized that the base64 encoding applied to the numeric identifier was optional, so removing it did not impact the ability to retrieve reports. He said that by enumerating URLs, an attacker could retrieve millions of confidential COVID-19 test results, according to the report.

Each medical record contained information pertaining to the patient’s name, age, gender, partial home address, COVID-19 test result, date of the test, report identifier and even identifying details for the lab where the test was conducted, Majumder said.

“I have found an issue in an Indian government site which is resulting in the leakage of test reports of EVERYONE who took a COVID-19 test in a particular state,” he told the outlet. “These reports have sensitive information about the citizens in them, like name, age, date and time of sample testing, residence address, etc.”

A potential hack leading to the ability to view the information would have looked something like this, according to the report:

https://cpms.wbhealth.gov[.]in:8003/Covid19.aspx?SRFID=1931XXXXXX1
https://cpms.wbhealth.gov[.]in:8003/Covid19.aspx?SRFID=1931XXXXXX2
https://cpms.wbhealth.gov[.]in:8003/Covid19.aspx?SRFID=1931XXXXXX3

The researcher said he tried to contact the health department about the leak but did not reach them. Majumder also disclosed his finding to a regional newspaper in India, which published a report on Tuesday in which a North Bengal health, Dr. Sushant Roy, acknowledged the flaw and said it would be fixed immediately.

It has since been remediated and it’s no longer possible to access reports using the enumeration method, according to BleepingComputer.

COVID-19 Data-Leak Accidents Abound

Though there was no intention in this case to leak relevant COVID-19 data, it’s not the first inadvertent potential exposure of test results or other related sensitive information since the pandemic began.

In September, the Wales arm of the U.K.’s NHS admitted that it accidentally uploaded PII for Welsh residents who tested positive for COVID-19 to a public server that anyone could search, exposing the information of more than 16,000 people. The leak, which was fixed 24 hours later, was blamed on “individual human error.”

In November, a COVID-19 data-sharing platform used by healthcare workers in the Philippines was found to be exposing healthcare worker data and potentially could have leaked patient data due to multiple system flaws.

Not all the COVID-19-related breaches have been accidental, either, as threat actors have willfully sought ways to get their hands on sensitive pandemic-related data with targeted attacks. In December for example, threat actors broke into the server of the European Medicines Agency and accessed documentation about the vaccine from Pfizer and BioNTech — data that was later leaked online.

Suggested articles