In a major technical error, more than 12.5 million medical records belonging to pregnant women were left exposed and available for public consumption.
Failure to secure a database containing the records – some of which dated back to 2014 – saw sensitive information left publically accessible. It was not until a researcher discovered the error on March 7th that the data breach came to light. Even then, it took more than three weeks before the data was erased.
A state health department in northern India, the details of which have not been revealed, collected the data as per the Preconception and Prenatal Diagnostic Techniques Act, a law enacted in 1994, to combat female foeticide and explore the reasons behind India’s declining sex ratio. The information in question included details of mothers, children, and doctors; details about court cases and formal complaints; and confidential medical data.
The login details of some professionals, including admin details and passwords, were also available as a consequence of the error. This was in addition to data which could be tied back to the mother, such as a contact telephone number and the location of centres where she underwent tests.
Because of the law, under which the data was collected, the sensitivity of the information exposed was heightened. Women undergoing certain procedures would have to declare they were not for the purposes of sex selection and female foeticide. Some records detailed pregnancy complications and specified the nature of tests performed. These are so-called “Forms F”, 7.5 million of which were hosted on the database.
The state and agency in question remains anonymous, as the database is still live and the fault has not been fixed. Fortunately, the Indian Computer Emergency Response Team (CERT) has erased the medical records and secured the server connected to the database after being notified by cybersecurity researcher Bob Diachenko. The agency in question is still vulnerable to similar data breaches in future, however, according to a report by ZDNet. While there have been no reports of data misuse, the incident exposes the data vulnerability and loopholes in the methodology.
