covid lab samples

Websites of multiple Indian government departments, including national health and welfare agencies, are leaking COVID-19 lab test results for thousands of patients online.

These leaked lab reports which are being indexed by search engines expose patient data, and whether they tested positive for coronavirus.

Google indexes COVID-19 lab test reports

This week, while searching for a means to obtain COVID-19 test results online, I accidentally came across what looked like exposed COVID-19 test results for thousands of patients.

As observed by BleepingComputer, each of these PDF reports showing up on Google were hosted on *.gov.in and *.nic.in domains.

These domains belong to multiple government agencies located in the national capital of New Delhi.  

Each PDF contained hundreds of records of patients who underwent an RT-PCR test, and exposed:

  • patient name
  • age and/or date of birth
  • report identifier numbers, including the nationally-trackable Specimen Referral Form (SRF) ID used by government authorities
  • dates of testing
  • hospital site where testing took place and the doctor’s information, and
  • whether the patient tested positive or negative for the SARS-CoV-2 virus
COVID19 test results leaked india
Each PDFs has pages of tables exposing COVID-19 test results for hundreds of patients
Source: BleepingComputer

While a majority of lab test reports are dated between November 2020 and January 2021, BleepingComputer also observed reports from April 2020 and earlier, as a part of this leak spanning across multiple government agencies.

In addition to summary tables, some files also had entire scanned sheets of individual patient lab test reports enclosed within.

Redacted COVID-19 test report found in leaked PDF
Some PDFs also contained individual lab test reports per patient
Source: BleepingComputer

The number of patient records contained in the few PDFs analyzed by BleepingComputer already exceeded 1,500 when totaled.

We estimate that even more patient records are leaking in real-time.

Government asks testing labs to provide data for ‘test, trace, isolate’

Both public and private COVID-19 testing labs in India are required to report every RT-PCR test result to the designated government agencies, as a part of the country’s ongoing “test, trace, isolate, treat” efforts.

A physician who is the director of one such lab told BleepingComputer:

“In order to successfully implement the test-trace-isolate process, the government often requires labs to send patients’ test results to the relevant government authorities. This is in addition to the data uploaded by labs onto the Indian Council of Medical Research (ICMR) web portal, where every RT-PCR test done in India is documented.”

Every leaked COVID-19 test report observed thus far by BleepingComputer, even the ones hosted on different government domains, have an identical URL structure.

Based on the URL structures, it appears, the PDFs are hosted on the same CMS system which is used by the Indian government offices for posting publicly accessible documents, like job interview notices, business tender bulletins, etc. 

It is likely, the employees who uploaded these COVID-19 test reports onto the CMS intended to share these internally, without realizing these reports were being inadvertently shared via a publicly accessible system.

On discovering the leak and verifying its origin, BleepingComputer promptly reached out to relevant parties including multiple Delhi government offices, National Informatics Centre (NIC), Digital India, and the Indian CERT.

Online COVID-19 test verification systems typically restricted

Multiple Indian states have rolled out web portals that let government offices and healthcare professionals share data and easily verify the authenticity of COVID-19 reports online using their SRF ID.

These systems are, however, restricted from the eyes of the general public.

Further, these web portals are secured with captchas, and require an additional verification parameter, such as the registered phone number of the authorized healthcare worker, before the test result can be disclosed.

This measure both restricts data access to limited parties involved in test-trace-isolate programs and makes it easy for authorities such as airport staff to distinguish authentic COVID-19 test reports from fakes. 

Under no circumstances are COVID-19 test results for multiple patients meant to be exposed to the general public or be made available for bulk web scraping.

While this leak has originated on Indian government websites, previously, some private labs risked exposure of COVID-19 test reports due to insecure QR code implementations

BleepingComputer has reached out to relevant parties including the Delhi government offices, National Informatics Centre (NIC), Digital India, and the Indian CERT multiple times for comment but we did not hear back.