A list containing details of nearly 1.5 crore partially-vaccinated individuals in Tamil Nadu had been uploaded to the State’s Department of Public Health and Preventive Medicine’s (DPHPM) website, it emerged over the weekend. The list contained details such as the names, vaccination dates, beneficiary ID, etc of individuals, organised by their districts, according to an archived version of the list viewed by MediaNama.
A master list was uploaded onto the DPHPM’s website which further linked out to sheets containing district-wise details. T.S. Selvavinayagam, Director of the DPHPM told MediaNama that the list was uploaded accidentally and was part of the department’s internal initiative to help officials conduct outreach among those overdue the second dose of their Covid-19 vaccination.
The list was removed from the website on May 6th after a public outcry online, however, it is possible that by that time copies of the list were already made. Further, CS Akshay, an independent security researcher, told MediaNama, that data in the district-wise lists was still accessible to the public.
The publication of such details raises concerns about the privacy and autonomy of unvaccinated individuals in the State.
Why the Indian govt should be accountable under the data protection law (as per the draft, they aren't): govt gets away with shit like thishttps://t.co/kOr6sc6rzx
— Nikhil Pahwa (@nixxin) May 7, 2022
Details of the document the Tamil Nadu government uploaded
- The document was uploaded and displayed on the DPHPM website’s homepage as ‘District wise/ Block wise list of beneficiaries eligible for 2nd dose yet to be vaccinated’
- The master list, a Google Sheets document, links out to 46 district-wise organised Google Sheets of all partially vaccinated individuals in the State.
- The district-wise lists further the district, block, session site ID and name, beneficiary name, 14-digit beneficiary reference ID, type of COVID-19 vaccination centre, vaccine name, the date of the first dose and the number of days a beneficiary was overdue for the second dose.
- The aforementioned data may also have been published for child beneficiaries, as data for Corbevax recipients were also in the lists. Corbevax has only been cleared for children.
- It is not clear how long the data was public, although according to metadata on the file, it was created on 25th April. However, Selvavinayagam said the data may not have been public throughout the intervening time as his department had also been collating the data into the sheets for 7-10 days.
A recap of several pandemic-related data breaches
The Covid-19 pandemic has led to many such leaks or breaches of personal data. In early 2020, shortly after the pandemic began, data was similarly leaked and circulated of citizens who had recently travelled abroad or had contracted Covid-19. Below are a few instances of the same:
March 2020:
- A government database of individuals mandated to home quarantine in Gurugram was reportedly leaked.
- The same month, personal information of 722 residents of New Delhi- who had been mandated home quarantine- including phone numbers, full address, and passport numbers, were circulated on WhatsApp.
- A list of 15,000 individuals, with their addresses and phone number, mandated home quarantine was uploaded by Karnataka’s Health Department on Twitter.
May 2020: Names, phone, and location details of at least 5,400 people put under quarantine and tracked by Madhya Pradesh’s Sarthak app, used to track people required to quarantine were reportedly leaked.
Also Read:
- TN PDS breach: More data leaks on hacker forum, site taken down
- T-Mobile hackers get away with sensitive data of 100 million users
- Tamil Nadu’s Makkal Number Exposed In Massive Data Breach, Bringing Into Question Its Privacy Implications And Legality
Have something to add? Post your comment and gift someone a MediaNama subscription.
I cover health technology for MediaNama but, really, love all things tech policy. Always willing to chat with a reader! Reach me at anushka@medianama.com
