Data, Privacy, Pandemic: India just had the Biggest Medical Records Breach Ever | ORF

Public debate this week has been dominated by how WhatsApp compromises personal data and privacy, and the pros and cons of its competitors. On 5 January, there was a story on a technology portal about how details of COVID-19 test results of tens of thousands of patients were leaked on the net through multiple Government of Delhi domains (delhigovt.nic.in/delhi.gov.in/revenue.delhi.gov.in). Individual reports of lab tests were available as well. Yet, no media follow up happened on the issue.

What happened by accident in Delhi is quite similar to what Karnataka deliberately did early on during the pandemic: With the aim of supporting contact-tracing, the government published the addresses of those who tested positive for COVID-19 in the state. The question of whether the right to privacy can be suspended during a pandemic, and how the duty of patient confidentiality is handled by guardians of data during a pandemic, was briefly discussed in the media.

However, the general attitude to patient confidentiality by major stakeholders remains a problem area in India. The National Digital Health Mission (NDHM) has a grand vision of leveraging technology to improve health. According to Prime Minister Modi’s Independence Day Address in August 2020, the Mission aims to link every diagnostic test, every illness episode, and every prescription by doctors to a single voluntary health ID, access to which will be controlled by the patient. With patient history and treatment details available at your fingertips, it is expected that the quality of care will improve tremendously.

The Ministry of Health and Family welfare has said that NDHM will liberate Indians from the challenges of finding the right doctors, seeking appointments, paying consultation fees, making several rounds of hospital visits for prescription sheets, etc. It is currently being tested across Union Territories; individual patients, doctors and healthcare providers are expected to voluntarily register to be part of this centralised repository, the success of which will depend heavily on the peoples’ trust in the integrity of the systems in place.

However, this admirable dream of better quality healthcare turns into a nightmare when every test, the details of every illness and every prescription—linked to a single health ID—is leaked to be available to anybody with access to the internet, due to a system failure. A system failure resulting in privacy breaches in the public sector is often due to lack of resources or trained personnel, but such leaks are by no means limited to the public sector.

While exploring the Delhi government leak of COVID-19 patient details, it was found that both private hospitals and diagnostic centres were treating medical records with shocking disregard for patient privacy or confidentiality. While digitalisation has made hospital-level processes easier, sufficient precautions are not being taken to safeguard patient data.

A Multi-Speciality Private Hospital in Kerala
In a data breach unprecedented in its scale in India, a large multi-speciality private hospital in Kerala had its complete patient records from the last five years—involving hundreds of thousands of test results, scans, prescriptions, etc—leaked on the internet, all of it searchable by a unique patient ID. It remains unclear how many weeks or months (or years) these records remained in the public domain. Despite having a strong public sector, Kerala is one of the few Indian states which also has a well-developed private healthcare delivery system across the state, and about two-thirds of hospitalisations happen in private sector hospitals in the state, according to the latest data (2017-18).

The hospital has one of the 101 private NABL Accredited Laboratories in Kerala for RT-PCR testing, and therefore, a huge number of COVID-19 test reports have been available on the net, as part of the breach (Figure 1). Many antigen as well as CBNAAT test results were also to be found.

Figure 1: A Leaked COVID-19 Test Result



Source: Redacted documents randomly selected from the breach.

In addition to COVID-19 test reports, the results of a range of diagnostic tests, consent forms and other hospitalisation-related documentation, dated between 2015 and 2021, were available online (Figure 2).

Figure 2: Sample Medical Records from the Breach


Source: Redacted documents randomly selected from the breach.
To make matters worse, separate folders named according to the Patient ID, containing time stamped medical records including scans of results and supporting documents were available in the public domain for anyone with an internet connection to access (Figure 3).

Figure 3: A Sample Patient Folder from the Hospital MIS


Source: Redacted documents randomly selected from the breach.
Lastly, a systematic list of links to all such folders sorted by the Patient ID was made available on a single index page (Figure 4), making the job of anyone downloading the whole database very easy. This page had details of roughly 200,000 patients, which possibly covers every interaction in the hospital over the last 5-6 year period. Each one of these Patient IDs were linked to a folder with multiple medical records as seen in Figure 3. This breach potentially involved several gigabytes of patient data—if not terabytes—documented in many hundreds of thousands of separate files. Most of these medical records included patient names, email addresses and/or phone numbers.

Figure 4: The Patient ID Directory, Linked to Respective Folders


Source: Redacted documents randomly selected from the breach.
Not a One-off Case
This multi-speciality private hospital is by no means an aberration. A ten-minute search on the internet revealed that a private diagnostic centre in Delhi had all its test results exposed online (Figure 5). It seemed that the results of all the tests they conducted over the last three months were available online. The number seemed to be limited to only a couple of hundreds, possibly because older test results were removed from the folder.

Figure 5: Samples from the Diagnostic Centre Breach


Source: Redacted documents randomly selected from the breach.
Both these institutions were informed of the breach on the same day when it came to this researcher’s attention, and were requested to take steps to ensure that patient privacy is maintained. Efforts to directly contact the Chief Information Officer (CIO) of the hospital using emails and telephone calls were unsuccessful despite multiple attempts, although promises were made that the data will soon be taken off the internet.

However, even after being alerted, these institutions have not done enough to remove highly sensitive and confidential patient information from the public domain. Most of this data remains available on search engines. In fact, the latest available test result on the Delhi diagnostic centre’s website is now dated 11 January 2021 –four days after the senior management was informed of the breach. Unless different stakeholders across the public as well as private sector start taking patient privacy seriously and improve patient confidence, NDHM may prove to be a damp squib, despite its spectacular promise.