In an incident that starkly exposes India’s lack of a strong legal framework concerning data privacy, the medical records of more than 43,000 people were reportedly leaked online accidentally by a pathology lab.

Shockingly, the records include those of patients who tested for HIV – some of them as young as 17. What’s worse, the pathology lab said ensuring patient medical data privacy was not something it was “concerned with”, Buzzfeed reported.

According to the Buzzfeed news report, sensitive details like names, addresses, dates of birth, and blood tests results of patients were stored in an unprotected folder on the website of pathology lab Health Solutions.

Lack of Proper Security Left Sensitive Info Exposed

The lapse was discovered by Troy Hunt, a web security expert. Speaking to Buzzfeed’s Pranav Dixit, Hunt revealed that he gained access to the medical records of thousands of patients as they were stored in a folder with the directory listing option enabled. The files are stored in a server in Provo, United States.

(Photo Courtesy: Twitter/Troyhunt)
What this meant was that there was literally a folder describing all the 43,000-plus files... This also means we have no idea of how many people have seen the files — they could have been viewed within cache...
Troy Hunt 

And since the reports were not password-protected, people could simply download sensitive medical information of any patient from the pathology lab’s website.“It’s about as bad as it gets security wise. This serves as a reminder that once we digitise anything, there’s a far greater risk of it being inadvertently disclosed,” Hunt added.

ADVERTISEMENT
ADVERTISEMENT
(Photo: iStockPhoto)

Ensuring Patients’ Privacy Not Our Concern: Lab

On being contacted by Buzzfeed, Rodrigues Kustas, the administrator at Health Solutions, initially denied knowledge of the security lapse, only to later wash his hands of the whole mess by claiming that there was nothing that could be done about the problem right now as the pathology lab was currently in the process of moving to a new website.

He further added:

Look, we are not the doctors, we merely do blood tests for patients. We also have more than 250 franchisees all over Mumbai who do tests for us. So maintaining doctor-patient privacy is not something that we as the lab are concerned with.

Kustas said that the lab’s website was developed by a third-party developer whom he described as a personal friend, but refused to provide any more details.

(Photo: The Quint)

Lack of Policy to Blame

The callous reply by Kustas however would come as no surprise to people who are aware of the state of medical privacy in India. Even after almost 70 years of independence, India lacks a robust legal framework concerning medical privacy or privacy laws in general.

Private hospitals frame and follows their own guidelines and maintain patient privacy on their own in the absence of a strong legal framework.

(Source: BuzzFeed News)

(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)

Become a Member to unlock
  • Access to all paywalled content on site
  • Ad-free experience across The Quint
  • Early previews of our Special Projects
Continue

Published: undefined

ADVERTISEMENT
SCROLL FOR NEXT