Medical data, just like the financial information, is one of the most important pieces of information that an organisation can collect. Due to its sensitive nature, it needs to be protected such data no hacker or security flaw can ever expose its contents. But what if the agency collecting the medical records doesn’t deploy enough safeguards, which in turn leaves the medical records of millions of people exposed? Apparently, a state health department in India left medical nearly 12.5 million records of pregnant women were exposed online after it failed to secure the database containing these records.
According to report by ZDNet, the records, which belong to the Department of Medical, Health and Family Welfare of a state in north India, go as far as 2014 and they contain extensive medical information including the test reports of the women who were pregnant during the time.
The issue was first discovered by security researcher Bob Diachenko around March 7, 2019. Diachenko as a part of his regular security audits found out that an “India-based IP contained a publicly accessible dataset of what appeared to be patients records, doctors details, children details, admin passwords, and logins”. These details had been collected as a part of the Pre-Conception and Pre-Natal Diagnostic Techniques (PCPNDT) Act, a law enacted by the Indian Parliament in 1994 to stop female feticide and correct the declining sex ratio in the country.
During his reasearch, Diachenko found that the database contained 7,449,714 digitized versions of Form F and 5 million copies of other forms — Form A, Form D, Form E, and Form G — containing similar medical data.
“Additionally, anonymous complaints, court cases details, doctors details, children details (sex, age, status) were left completely exposed and open for public access – totaling to more than 12.5 Million of records,” Diachenko wrote in his blog.
Soon after he made the discovery, Diachenko notified the Indian Computer Emergency Response Team (CERT) about the issue. It took the agency nearly three weeks to pull off all the medical records from the medical agency’s website. The server issues were fixed by the agency around March 29.
Notably, while the information has been taken down the database, the flaw hasn’t been fixed. This leaves the agency’s other operations exposed online, the publication reported. The good news is despite the records being exposed online for a long time there is no report of the data being misused or abused. – India Today