advertisement
In a major breach of public health data, Uttar Pradesh’s largest referral hospital has been found to have made confidential medical records and personal information – including Aadhaar number – of kidney donors and beneficiaries public, since at least May 2018.
A 21-year-old information security researcher, Rishi Dwivedi, had detected the open directory containing sensitive information of over 150 such transplants, stored on the server itself and easily accessible on Google.
Known as the “AIIMS of Lucknow”, Sanjay Gandhi Post Graduate Institute of Medical Sciences (SGPGI), however, has dismissed it as “impossible”.
The researcher sent repeated mails to SGPGI between May and August seeking a response from the authorities, but got none so far.
The incident has emerged amidst a growing chorus for a strong data protection law guided by a fundamental right to privacy. A security lapse as elementary as this points towards a general lack of seriousness among state authorities towards sensitive personal data of citizens.
From the 150-odd kidney transplant cases, details of which are available in the directory, one case and the information available therein is a telling example of the extent of data leak.
In one of the cases, the recipient is a 44-year-old man and the donor is his 76-year-old father.
The complete list of documents attached to a kidney transplant application is illustrated in the image below. Under ‘identity proofs of patient’, documents like Aadhaar, voter ID and PAN numbers were sought.
All the documents, as directed, were submitted to the transplant coordinator in the office of the competent authority – organ transplantation.
The leaked information contains detailed medical correspondence, records and tests, including some of the most sensitive personal information. The total number of files accessible on the directory run into several thousands. All the files are stored in an open and unencrypted directory and located within a sub-domain of the URL.
Among the leaks is the case of a 49-year-old deaf, mute and illiterate woman who had to undergo examinations recommended by a medical board to determine her mental capacity to decide on voluntary kidney donation to her 26-year-old son.
This health data breach comes at a time when the Ministry of Health and Family Welfare has introduced a draft bill that identifies “sensitive health related information” as that which, if “lost, compromised or disclosed” could cause “substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual.”
Dr R K Sharma, head of department of Nephrology and one of the administrative heads, dismissed the idea of the data being exposed to the public. “What is being alleged cannot be true. Nobody would spend so much time unearthing so many files,” said Dr Sharma. He, however, added, “Something like this should not happen. We keep the kidney transplant waiting list on our site in the interest of transparency, but that’s all we put out.”
The directory consists a veritable trove of not only information on transplant patients but also about many other aspects of the hospital. For instance –
An RTI letter found in the open directory is a striking example of how queries are handled by the administration. A question dismissed as “untenable” and “hypothetical” is later directed in handwritten text to “send a clear reply” as the question was “not hypothetical”.
Known as the “AIIMS of Uttar Pradesh”, the Sanjay Gandhi Medical Institute in Lucknow is among the largest and most renowned state-run referral hospitals in the north Indian state. Given the number of patients it deals with and the magnitude of sensitive data it must collect and store, the security of such data directories is of utmost importance.
The vulnerability of this sensitive data arises from the fact that the directory has been made public. “What is alarming about this kind of a data leak is that it arises from a design that is so basic in its flaw,” said a security researcher who wished not to be named. “Files, especially health information, should never be stored openly on a server. It is akin to asking for it to be stolen,” he added.
To ensure that the data files are secure, the hospital should:
Rishi Dwivedi, a computer science graduate, who first exposed the data breach, has flagged several data vulnerabilities and leaks to the concerned authorities. He had previously detected a trove of thousands of Aadhaar number leaks by the Government of Andhra Pradesh, a crypto-jacking malware in the Indian Olympic Association website and data leak by the Indian Railways.
“I came across the transplant directory during my research on aadhaar related vulnerabilities,” the 21-year-old said. In the aftermath of the “Mera Aadhaar Meri Pehchaan” fiasco in March 2018, where Aadhaar numbers were publicly available in a manner similar to this case, Dwivedi started working on notifying authorities about other such vulnerabilities.
The Data Information Security in Healthcare Act (DISHA) and Draft Data Protection Bill, both classify health data as sensitive personal information. The draft DISHA bill has been introduced by the Ministry of Health and Family Welfare and the Draft Data Protection Bill has been prepared by the Justice Srikrishna Committee appointed by the Ministry of Electronics and IT.
Data Breach
As per section 38 of DISHA, “a serious breach of digital health data” occurs if “a person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently” or “Any breach of digital health data occurs, which relates to information which is not anonymised or de-identified”.
Privacy and Confidentiality
Section 35 of DISHA states that a “clinical establishment” shall be “duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner”.
Data Owner and Custodian
According to Section 31 of DISHA “the individual whose health data has been digitised” shall own the data. The hospital, in this regard, is the data custodian. Section 28 provides the owner the “right to privacy, confidentiality, and security of their digital health data” as well as the right to “refuse consent to the access or disclosure of his or her digital health data.”
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)