DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

COVID Test Data Breach: 1.3 Million Patient Records Exposed Online

Posted on January 23, 2024 by Dissent

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained nearly 1.3 million records, which included COVID-19 testing information and personally identifiable information such as the patient’s name, date of birth, and passport number.

Jeremiah Fowler writes:

The publicly exposed database contained an estimated 1.3 million records that included 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files. The exposed certificates and other documents were all marked with the name and logo of Coronalab.eu. Although the website appears to be offline, Coronalab is owned by Microbe & Lab, an ISO-certified laboratory based in Amsterdam, Netherlands. According to the NL Times, “CoronaLab is one of the two largest commercial test providers in the Netherlands”. I sent multiple responsible disclosure notices and did not receive any reply and several phone calls also yielded no results. The database remained open for nearly 3 weeks before I contacted the cloud hosting provider and it was finally secured from public access. In most cases the organization replies or closes public access immediately after receiving a responsible disclosure notice. Another research-based online publication, Cybernews, claimed to have found a similar leak around the same time of my discovery. I cannot confirm if it’s related or not.

The exposed COVID test records contained each patient’s name, nationality, passport number, and test results, as well as the price, location, and type of test conducted. The database also contained thousands of QR codes and hundreds of.csv files that showed appointment details and many patients’ email addresses.

Read more at vpnMentor.

Related posts:

  • 845GB of racy dating app records exposed to entire internet via leaky AWS buckets
  • A leak report quietly disappears, leaving questions in its wake
  • Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports — researchers
  • No need to hack when it’s leaking (CORRECTED)
Category: ExposureHealth DataNon-U.S.

Post navigation

← Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment
Bucks Co. emergency dispatch system down for days due to cyberattack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.