A public website run by the Andhra Pradesh government, hosted on Microsoft’s Azure cloud computing service, tracks state-run ambulances in real time, allowing anyone with an internet connection to monitor the movement of these vehicles and obtain sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken — reported HuffPost.
The website displays the pick-up point and the purpose of the visit — such as assault, pregnancy, heart attack, asthma, etc — sparking concerns over the kind of data collected by state governments. Questions about the security of this data, in the total absence of laws laying out how such data should be stored, have been raised. There is no law governing with whom the data can be shared, and whether private companies can harvest and monetise this data.
The much anticipated Justice BN Srikrishna Committee report is expected to form the basis of a data privacy law; the report is expected this week.
Remember that since the website gives access to the purpose of ambulance visit, anybody can track the movements of pregnant women and victims of assault. Such data being available in the public domain is bad news in itself, it can easily be broadcast and cause serious harm to citizens. The tracker also records information like if the ambulance’s ignition switch is on, or off — revealing that such granular data gathering is now commonplace.
“Among the last things a person needing an ambulance wants is for their medical situation to be broadcast online without their consent,” said Pam Dixon, founder and executive director of the World Privacy Forum told HuffPost. “Highly specific and sensitive health information should not be available about individuals online. This is especially so for information that is identifiable. It is not the government’s role to disturb peoples’ medical privacy.”
Srinivas Kodali is a security researcher who first discovered this vulnerability. He said that the dashboard’s use of Microsoft’s Azure platform was a cause for concern. “The risks are enormous,” Kodali told HuffPost. “This is the kind of data that could be used to identify people, and this is the kind of data that patients don’t want anyone to have access to.”
Andhra’s other privacy goof-ups
This isn’t the first instance of a faux pas bn the Andhra Pradesh government when it comes to citizen privacy. It’s ambitious People’s Hub has a integrated database that puts together citizen information across multiple government departments (which would be in silos) lance tracker is only the most recent of a long series of privacy breaches linked to Andhra Pradesh’s ambitious People’s Hub: a vast integrated database that merges citizen information across multiple government departments and presents the information as easily searchable dashboards.
The state government has previously left sensitive medical data exposed. Just yesterday, it was revealed by HuffPost that the Andhra Pradesh government records names, contact numbers, details of items purchased, of anybody who bought medicines from government-owned Anna Sanjivini Stores.