wordpress blog stats
Connect with us

Hi, what are you looking for?

, , , ,

Mumbai pathology lab leaks lab results of over 43K people


A Mumbai-based pathology lab has published the lab results of over 43,000 people online without securing it in anyway, reports Buzzfeed. The lab dismissed its responsibility, stating to Buzzfeed that “maintaining doctor-patient privacy is not something that we as the lab are concerned with.” We’ve tried contacting the lab repeatedly, but the administrator declined to comment, saying that we should call him tomorrow evening before he cut the call.

MediaNama was able to verify the files as containing complete patient testing data including HIV and other disease identifiers, along with personal identifiers like names. No contact details were available, so we haven’t been able to ascertain the authenticity of the data by calling patients who were tested. We’re not publishing any means of identifying the lab, given that the data is still online and easy to spot. The leak was first spotted by online security expert Troy Hunt, who is also the creator of  HaveIBeenPwned, which allows people to check if any of their databases have been compromised.

From a technical perspective, the data page, which lists the patient reports online, does not have a ‘no robots’ modifier to exempt the pages from search engine. Because of this, the entire database is available as a cached copy on Google and other search engines, even if the source database is secured.

Note that the company doesn’t seem to have any particular inclination to fix the issue, stating “We are moving to a new domain in January and retiring the existing website, so these problems will be fixed in Jan, but till then, we are not planning to do anything about this.” The patient data is currently located on a US-based server, outside Indian jurisdiction. Frankly, why should sensitive data of Indian patients be hosted outside India?

Is it legal?

Advertisement. Scroll to continue reading.

While we couldn’t find any document indicating labs must secure patient data, the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (Code of Ethics Regulations, 2002) (pdf) state that “Physicians  are  obliged  to  protect  the  confidentiality  of  patients including  their  personal  and  domestic lives,  unless  the  law  requires  their revelation, or if there is a serious and identified risk to a specific person and / or community or notifiable disease.” It additionally states that “Records should not be made accessible to the attendants without the consent of the patient, except when the patient is not in a state to give consent and access to those records is imperative”, which is clearly not the case here. However, it’s not clear if a lab comes under the ambit of the code of ethics laid out by the IMC, unlike hospitals, nursing homes and other similar medical establishments which are governed by these guidelines.

It’s also worth noting that companies have got in trouble for backtracking on their privacy agreements, which in this case, doesn’t even exist – most patients don’t know their data is up there online, let alone sign a privacy agreement for it. It’s also not clear what legal recourse is available for patients to get the data offline.

Significant breach of privacy

Publicly displaying medical records with disease and name identifiers are a significant breach of privacy. No patient walks into a doctor’s office to get a medical test for a condition, only to have the results publicly displayed online for everyone to see, and the lab’s response to this has been appalling at best. This episode underscores the need for a privacy law in India, which should be by default protected. However, the Government’s reluctance in forming one has left companies shrugging off responsibility, hurting the end users.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ