In a major breach of public health data, Uttar Pradesh’s largest referral hospital has been found to have made confidential medical records and personal information – including Aadhaar number – of kidney donors and beneficiaries public, since at least May 2018.
A 21-year-old information security researcher, Rishi Dwivedi, had detected the open directory containing sensitive information of over 150 such transplants, stored on the server itself and easily accessible on Google.
Known as the “AIIMS of Lucknow”, Sanjay Gandhi Post Graduate Institute of Medical Sciences (SGPGI), however, has dismissed it as “impossible”.
Apart from Aadhaar, the list of accessible documents related to donors and recipients include certificate of transplant authorisation, certification of advanced stage of disease, details of renal tests, voter identity cards, PAN numbers, marriage certificates, and class 10 and 12 mark sheets.
The researcher sent repeated mails to SGPGI between May and August seeking a response from the authorities, but got none so far.
The incident has emerged amidst a growing chorus for a strong data protection law guided by a fundamental right to privacy. A security lapse as elementary as this points towards a general lack of seriousness among state authorities towards sensitive personal data of citizens.
A Case Study of Divulged Information
From the 150-odd kidney transplant cases, details of which are available in the directory, one case and the information available therein is a telling example of the extent of data leak.
In one of the cases, the recipient is a 44-year-old man and the donor is his 76-year-old father.
The complete list of documents attached to a kidney transplant application is illustrated in the image below. Under ‘identity proofs of patient’, documents like Aadhaar, voter ID and PAN numbers were sought.
All the documents, as directed, were submitted to the transplant coordinator in the office of the competent authority – organ transplantation.
Thousands of Files Leaked, Hospital Denies Role
The leaked information contains detailed medical correspondence, records and tests, including some of the most sensitive personal information. The total number of files accessible on the directory run into several thousands. All the files are stored in an open and unencrypted directory and located within a sub-domain of the URL.
Among the leaks is the case of a 49-year-old deaf, mute and illiterate woman who had to undergo examinations recommended by a medical board to determine her mental capacity to decide on voluntary kidney donation to her 26-year-old son.
The Quint reached out to top administrative authorities who responded saying they were not aware of the data breach and that the data cannot be publicly accessible. “I am not aware of this issue but have heard something about the hack,” said Prof Rakesh Kapoor, director of SGPGI. However, that the case is of an entire directory kept open, unencrypted and publicly searchable – and does not require ‘hacking’ –was not acknowledged.
This health data breach comes at a time when the Ministry of Health and Family Welfare has introduced a draft bill that identifies “sensitive health related information” as that which, if “lost, compromised or disclosed” could cause “substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual.”
Dr R K Sharma, head of department of Nephrology and one of the administrative heads, dismissed the idea of the data being exposed to the public. “What is being alleged cannot be true. Nobody would spend so much time unearthing so many files,” said Dr Sharma. He, however, added, “Something like this should not happen. We keep the kidney transplant waiting list on our site in the interest of transparency, but that’s all we put out.”
What About Other Official Documents of the Hospital?
The directory consists a veritable trove of not only information on transplant patients but also about many other aspects of the hospital. For instance –
- Minutes of its finance committee and general body meetings from 2016, dating back to 1986
- Official communications within the administration
- Detailed floor plans of different departments of the hospital
- RTI letters to the hospital
- Official photographs
An RTI letter found in the open directory is a striking example of how queries are handled by the administration. A question dismissed as “untenable” and “hypothetical” is later directed in handwritten text to “send a clear reply” as the question was “not hypothetical”.
Known as the “AIIMS of Uttar Pradesh”, the Sanjay Gandhi Medical Institute in Lucknow is among the largest and most renowned state-run referral hospitals in the north Indian state. Given the number of patients it deals with and the magnitude of sensitive data it must collect and store, the security of such data directories is of utmost importance.
How is the Data Leaking?
The vulnerability of this sensitive data arises from the fact that the directory has been made public. “What is alarming about this kind of a data leak is that it arises from a design that is so basic in its flaw,” said a security researcher who wished not to be named. “Files, especially health information, should never be stored openly on a server. It is akin to asking for it to be stolen,” he added.
To ensure that the data files are secure, the hospital should:
- Store the files in a database or a secure location inside the server (where they are not publicly reachable)
- Keep the important fields (such as passwords, UIDAI number) in the database encrypted.
- Specify access rights to the database to ensure that only those with proper credentials can gain entry.
Findings of the Information Security Researcher
Rishi Dwivedi, a computer science graduate, who first exposed the data breach, has flagged several data vulnerabilities and leaks to the concerned authorities. He had previously detected a trove of thousands of Aadhaar number leaks by the Government of Andhra Pradesh, a crypto-jacking malware in the Indian Olympic Association website and data leak by the Indian Railways.
Dwivedi says he alerted the hospital as soon as he came across the open directory. “I discovered the open directory on 31 May and immediately mailed the hospital but got no response,” said Dwivedi. “I sent them a total of five mails, the last one being on 21 August but have failed to elicit any response. Why would such a big institution be so apathetic to such an important issue?” he added.
“I came across the transplant directory during my research on aadhaar related vulnerabilities,” the 21-year-old said. In the aftermath of the “Mera Aadhaar Meri Pehchaan” fiasco in March 2018, where Aadhaar numbers were publicly available in a manner similar to this case, Dwivedi started working on notifying authorities about other such vulnerabilities.
A Serious Data Breach?
The Data Information Security in Healthcare Act (DISHA) and Draft Data Protection Bill, both classify health data as sensitive personal information. The draft DISHA bill has been introduced by the Ministry of Health and Family Welfare and the Draft Data Protection Bill has been prepared by the Justice Srikrishna Committee appointed by the Ministry of Electronics and IT.
Data Breach
As per section 38 of DISHA, “a serious breach of digital health data” occurs if “a person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently” or “Any breach of digital health data occurs, which relates to information which is not anonymised or de-identified”.
Privacy and Confidentiality
Section 35 of DISHA states that a “clinical establishment” shall be “duty bound to protect the privacy, confidentiality, and security of the digital health data of the owner”.
Data Owner and Custodian
According to Section 31 of DISHA “the individual whose health data has been digitised” shall own the data. The hospital, in this regard, is the data custodian. Section 28 provides the owner the “right to privacy, confidentiality, and security of their digital health data” as well as the right to “refuse consent to the access or disclosure of his or her digital health data.”
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)