Millions of COVID-19 test results exposed online

Due to an error in the implementation of its online system, the Department of Health and Welfare of West Bengal, India presented the information of at least 8 million COVID-19 tests performed on its population. This finding was reported by cybersecurity specialist Sourajeet Majumder, who in the past reported similar incidents.

“I can confirm that I found a problem on an Indian government website, which would have resulted in the leak of COVID-19 tests of millions of people in a particular territory,” Majumder says. The expert mentions that the reports presented contain various confidential records, including names, dates of birth, addresses, among others.

The researcher detected this leak by viewing the contents of a text message sent to a COVID-19 lab: “I was able to discover that the structure of the URL leading to this site is made up of a base64-encoded report identification number.”

This base64-encoded information could be decrypted to a simpler format, which would eventually lead to exposure to these confidential medical records. In addition, since the base64 encoding applied to the numeric identifier was optional, the Expert Advisor had no difficulty deleting it to retrieve the information. In this way Majumder demonstrated that a threat actor could retrieve the results of these tests through a simple URL enumeration process, for example:


As mentioned above, each report contains the patient’s name, age, gender, home address, COVID-19 test result, application date, registration number, and laboratory name.

The Department of Health and Welfare received the report from and instructed its IT department to correct these safety issues. While the authorities did not respond directly to the investigator who filed the report, a speedy review of the affected platform shows that the failures have been corrected.

“Now, the endpoints that addressed these sensitive reports return a 404 (NOT FOUND) message to the user,” the researcher says. On the other hand, Dr. Sushant Roy, responsible for managing the pandemic in West Bengal also spoke about the leak: “We know that these records must be kept confidential for the benefit of the privacy of these patients,” he acknowledges.

Unfortunately this is not the first occasion to set out details of this nature. A couple of months ago multiple independent labs were affected by a similar incident, exposing the COVID-19 test results due to a URL configuration error. IT administrators in charge of these records should take a patient privacy protection approach, as leaking this information could have disastrous consequences.