A Mumbai-based pathology lab has published the lab results of over 43,000 people online without securing it in anyway, reports Buzzfeed. The lab dismissed its responsibility, stating to Buzzfeed that “maintaining doctor-patient privacy is not something that we as the lab are concerned with.” We’ve tried contacting the lab repeatedly, but the administrator declined to comment, saying that we should call him tomorrow evening before he cut the call.
MediaNama was able to verify the files as containing complete patient testing data including HIV and other disease identifiers, along with personal identifiers like names. No contact details were available, so we haven’t been able to ascertain the authenticity of the data by calling patients who were tested. We’re not publishing any means of identifying the lab, given that the data is still online and easy to spot. The leak was first spotted by online security expert Troy Hunt, who is also the creator of HaveIBeenPwned, which allows people to check if any of their databases have been compromised.
From a technical perspective, the data page, which lists the patient reports online, does not have a ‘no robots’ modifier to exempt the pages from search engine. Because of this, the entire database is available as a cached copy on Google and other search engines, even if the source database is secured.
Note that the company doesn’t seem to have any particular inclination to fix the issue, stating “We are moving to a new domain in January and retiring the existing website, so these problems will be fixed in Jan, but till then, we are not planning to do anything about this.” The patient data is currently located on a US-based server, outside Indian jurisdiction. Frankly, why should sensitive data of Indian patients be hosted outside India?
Is it legal?
While we couldn’t find any document indicating labs must secure patient data, the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (Code of Ethics Regulations, 2002) (pdf) state that “Physicians are obliged to protect the confidentiality of patients including their personal and domestic lives, unless the law requires their revelation, or if there is a serious and identified risk to a specific person and / or community or notifiable disease.” It additionally states that “Records should not be made accessible to the attendants without the consent of the patient, except when the patient is not in a state to give consent and access to those records is imperative”, which is clearly not the case here. However, it’s not clear if a lab comes under the ambit of the code of ethics laid out by the IMC, unlike hospitals, nursing homes and other similar medical establishments which are governed by these guidelines.
It’s also worth noting that companies have got in trouble for backtracking on their privacy agreements, which in this case, doesn’t even exist – most patients don’t know their data is up there online, let alone sign a privacy agreement for it. It’s also not clear what legal recourse is available for patients to get the data offline.
Significant breach of privacy
Publicly displaying medical records with disease and name identifiers are a significant breach of privacy. No patient walks into a doctor’s office to get a medical test for a condition, only to have the results publicly displayed online for everyone to see, and the lab’s response to this has been appalling at best. This episode underscores the need for a privacy law in India, which should be by default protected. However, the Government’s reluctance in forming one has left companies shrugging off responsibility, hurting the end users.