wordpress blog stats
Connect with us

Hi, what are you looking for?

, , , ,

Mumbai pathology lab leaks lab results of over 43K people


A Mumbai-based pathology lab has published the lab results of over 43,000 people online without securing it in anyway, reports Buzzfeed. The lab dismissed its responsibility, stating to Buzzfeed that “maintaining doctor-patient privacy is not something that we as the lab are concerned with.” We’ve tried contacting the lab repeatedly, but the administrator declined to comment, saying that we should call him tomorrow evening before he cut the call.

MediaNama was able to verify the files as containing complete patient testing data including HIV and other disease identifiers, along with personal identifiers like names. No contact details were available, so we haven’t been able to ascertain the authenticity of the data by calling patients who were tested. We’re not publishing any means of identifying the lab, given that the data is still online and easy to spot. The leak was first spotted by online security expert Troy Hunt, who is also the creator of  HaveIBeenPwned, which allows people to check if any of their databases have been compromised.

From a technical perspective, the data page, which lists the patient reports online, does not have a ‘no robots’ modifier to exempt the pages from search engine. Because of this, the entire database is available as a cached copy on Google and other search engines, even if the source database is secured.

Note that the company doesn’t seem to have any particular inclination to fix the issue, stating “We are moving to a new domain in January and retiring the existing website, so these problems will be fixed in Jan, but till then, we are not planning to do anything about this.” The patient data is currently located on a US-based server, outside Indian jurisdiction. Frankly, why should sensitive data of Indian patients be hosted outside India?

Is it legal?

Advertisement. Scroll to continue reading.

While we couldn’t find any document indicating labs must secure patient data, the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (Code of Ethics Regulations, 2002) (pdf) state that “Physicians  are  obliged  to  protect  the  confidentiality  of  patients including  their  personal  and  domestic lives,  unless  the  law  requires  their revelation, or if there is a serious and identified risk to a specific person and / or community or notifiable disease.” It additionally states that “Records should not be made accessible to the attendants without the consent of the patient, except when the patient is not in a state to give consent and access to those records is imperative”, which is clearly not the case here. However, it’s not clear if a lab comes under the ambit of the code of ethics laid out by the IMC, unlike hospitals, nursing homes and other similar medical establishments which are governed by these guidelines.

It’s also worth noting that companies have got in trouble for backtracking on their privacy agreements, which in this case, doesn’t even exist – most patients don’t know their data is up there online, let alone sign a privacy agreement for it. It’s also not clear what legal recourse is available for patients to get the data offline.

Significant breach of privacy

Publicly displaying medical records with disease and name identifiers are a significant breach of privacy. No patient walks into a doctor’s office to get a medical test for a condition, only to have the results publicly displayed online for everyone to see, and the lab’s response to this has been appalling at best. This episode underscores the need for a privacy law in India, which should be by default protected. However, the Government’s reluctance in forming one has left companies shrugging off responsibility, hurting the end users.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ