Gemotest, one of the largest private medical laboratory networks in Russia, suffered a data breach in April 2022 that exposed approximately 31 million patient records. The data was placed for sale on dark-web forums in early spring 2022 and was subsequently sold to multiple buyers and published. Russian dark-web monitoring service DLBI first reported the leak. Roskomnadzor, Russia's data-protection regulator, opened an investigation, and a Moscow magistrate court fined the company 60,000 rubles in mid-2022 for the violation.\n\nThe published dataset reportedly contained approximately 300 gigabytes of customer data covering more than 30 million records. Compromised fields included names, dates of birth, gender, phone numbers, email addresses, physical addresses, Russian internal passport series and numbers, and insurance identifiers. Have I Been Pwned indexed approximately 6.3 million unique email addresses among the records. Russian COVID-19 testing protocols at the time required passport verification, which is why a substantial subset of records included passport identifiers tied to test results.\n\nFor affected individuals, the practical risk profile is unusually severe and durable. The combination of name, date of birth, address, and Russian passport number is a strong base for identity-verification bypass at Russian financial institutions and government services. Cross-border risks apply because the dataset has continued to circulate internationally, and individuals who travelled to or from Russia during the affected period may face exposure to identity-document fraud or impersonation. Patients in occupied territories who may have used Russian-issued passports for COVID testing face additional political and personal-safety considerations given investigative-journalism use of the dataset. Anyone whose Gemotest records were affected should treat their Russian passport number as durably exposed and remain alert to unsolicited contact referencing past medical testing or government services.

Medical laboratory networks collect highly sensitive patient identity, contact, billing, insurance, provider-order, and diagnostic test records across lab testing workflows.

Gemotest was fined approximately 60,000 rubles (around \$1,000 at the time) by a Moscow magistrate court in mid-2022 for the data leak, the maximum penalty allowed under Russian personal-data legislation in force at that time. Russian data-protection enforcement has tightened modestly since 2022, with new amendments allowing larger turnover-based fines for repeat offenders. The Gemotest dataset has continued to circulate on Russian and international dark-web forums in the years since the original release. Notable subsequent uses of the dataset include investigative journalism: in 2023 reporting by RFE/RL's Schemes unit used Gemotest records to identify a Ukrainian judge who had used a Russian passport for COVID-19 testing in occupied Crimea, supporting allegations of dual citizenship.