The Department of Medical, Health and Family Welfare of a north Indian state left a database connected to the internet without a password, exposing the medical records of more than 12.5 million pregnant women, ZDNet reported. The records date back to 2014.

Sensitive info removed, but unsecured database still online

The database was discovered on March 7 by Bob Diachenko, a security researcher with Security Discovery, a cyber-security consulting firm. Diachenko wrote in a blog post that authorities in India took three weeks – until March 29 – to remove the sensitive information from the database. Its worth noting that the database is still available online without a password, which is why the state name has been withheld. The database had patients’ records, doctors’ details, children’s details, admin passwords and logins, all of which were collected as part of the Indian Pre-Conception and Pre-Natal Diagnostic Techniques (PCPNDT) Act, which was introduced in 1994 to prevent sex selection and female infanticide.

India: land of leaks

In March 2018 we reported that DISHA (Digital Information Security in Healthcare Act) would enable the digital sharing of personal health records with hospitals and clinics, and between hospitals and clinics, which would be the basis for the creation of digital health records in India. In 2017, the National Health Policy green-lit the creation of a National Health Information Network for sharing of Aadhaar-linked electronic health records. Given the commonplace nature of data leaks by Indian government bodies, the security of electronic health records is questionable at best.

Numerous breaches in 2018, many involving Aadhaar, made India the world capital of data leaks according to the World Economic Forum. Its Global Risks Report 2019 reads, “The largest [data breach] was in India, where [Aadhaar] reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion citizens. It was reported in January 2018 that criminals were selling access to the database at a rate of Rs 500 for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.”

Medical data leaks

  • In April 2018, it was found that Andhra Pradesh government websites were leaking Aadhaar numbers of women, their reproductive history from pregnancy to delivery, whether they had had an abortion, and so on. It also tracked the infants’ early years and vaccinations.
  • In June 2018, a public website run by the Andhra Pradesh government tracked state-run ambulances in real time, allowing anyone with an internet connection to monitor the movement of these vehicles and obtain sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken.
  • The same month, an unsecured Andhra Pradesh government website exposed the names and numbers of every person who purchased medicines, including those who bought Suhagra (a medicine for erectile dysfunction) from government-run stores. A dashboard on the Anna Sanjivini website allowed anyone with an Internet connection to access details including the names and phone numbers of every person who bought medicines from every single such store.

Other data leaks

In April 2018, an Andhra Pradesh government website leaked data of individuals including Aadhaar number, bank branch, IFSC code and account number, father’s name, address, gram panchayat, mobile number, ration card number, occupation, religion and caste information. Two just months later, the Andhra Pradesh government exposed details of up to 4.5 crore citizens — phone numbers, insurance status, and home addresses — on a portal accessible with only an Aadhaar number, The Times of India reported.