Bengaluru civic body faces flak over data breach of Covid patients
Bengaluru civic body faces flak over data breach of Covid patients
Free Software Movement of India, a coalition of organisations working on data privacy, on Tuesday flagged that Covid-19 data record was being published by Bruhat Bengaluru Mahanagara Palike's (BBMP's) contractor Xyram Software Solutions (Xyramsoft).
Devina Sengupta&Akshatha METTelecomMay 26, 2021, 08:04 IST
Bengaluru civic body faces flak over data breach of Covid patientsMumbai/Bengaluru: Covid-19 data records of those who have tested in Bengaluru were out in the public domain for some time, which is a clear violation of IT rules around data privacy and can lead to misuse of the information, experts have said.
Free Software Movement of India, a coalition of organisations working on data privacy, on Tuesday flagged that Covid-19 data record was being published by Bruhat Bengaluru Mahanagara Palike's (BBMP's) contractor Xyram Software Solutions (Xyramsoft).
“We demand an immediate shutdown of this PHAST site until access management and a security audit is done,” Kiran Chandra, general secretary of FSMI, wrote in a letter to BBMP special commissioner (health and IT) Rajendra Cholan P.
PHAST refers to BBMP’s Public Health Activities, Surveillance and Tracking website.
“We also demand that BBMP take action against software company Xyramsoft for its carelessness in building a software without any security,” Chandra wrote in the letter.
The security lapse “can lead to misuse, exploitation and poses a catastrophic risk overall”, the advocacy group said.
Test results and personal data of anyone who has been tested in the capital of Karnataka can be accessed by typing in their 10-digit mobile number onto the Xyramsoft site, it said.
The BBMP commissioner did not respond to a text message seeking comment as of press time Tuesday.
Xyram founder Nagesh Bhashyam said his firm was just following what BBMP had asked them to do. “You should ask them (BBMP) on what is being allowed and how it is allowed for citizens to access the data,” he said.
The company changed the access code for test result from mobile number to SRF ID on Tuesday evening, hours after the issue was brought to the notice of BBMP and the software company.
Privacy experts said these details can be accessed by data brokers and was a violation of IT rules.
“The IT rules of 2011 clearly states that health record information is ‘sensitive’ data, and the collection, storage, and disclosure of such data must be bound by ‘reasonable security practices and procedures’,” Chandra of FSMI said. “This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individuals personal and sensitive data.”
This breach comes on the back of several alarms raised by cybersecurity experts that health records of Covid-19 patients, including their plasma details and blood groups are available on the dark web. They can be accessed by the likes of banks and insurance companies who can then take a call if a person should be offered a loan or an insurance policy, and how much premium or interest they should be charged based on their medical information.
Srinivas Kodali, a Hyderabad-based researcher working on data and governance, said BBMP should investigate the issue to understand the scale of possible data misuse. “Covid-19 reports available in the public domain clearly shows BBMP’s healthcare IT service provider (Xyramsoft) did not give any layer of security to the personal data,” he said. “This calls for a cyber security audit and BBMP should penalise the software provider.”
Since Xyram is a health surveillance software, there was no need for them to put the data in the public domain, Kodali said. “People will anyway get their test reports from testing laboratories or hospitals,” he said while also holding the civic body responsible for the breach of privacy.
This is not the first time that Bengaluru's civic body has come under fire for data mismanagement. In 2019, in a case of breach of personal data, property tax receipts of 7,700 taxpayers were uploaded online.
Free Software Movement of India, a coalition of organisations working on data privacy, on Tuesday flagged that Covid-19 data record was being published by Bruhat Bengaluru Mahanagara Palike's (BBMP's) contractor Xyram Software Solutions (Xyramsoft).
Devina Sengupta&Akshatha METTelecomMay 26, 2021, 08:04 IST
Bengaluru civic body faces flak over data breach of Covid patientsMumbai/Bengaluru: Covid-19 data records of those who have tested in Bengaluru were out in the public domain for some time, which is a clear violation of IT rules around data privacy and can lead to misuse of the information, experts have said.
Free Software Movement of India, a coalition of organisations working on data privacy, on Tuesday flagged that Covid-19 data record was being published by Bruhat Bengaluru Mahanagara Palike's (BBMP's) contractor Xyram Software Solutions (Xyramsoft).
“We demand an immediate shutdown of this PHAST site until access management and a security audit is done,” Kiran Chandra, general secretary of FSMI, wrote in a letter to BBMP special commissioner (health and IT) Rajendra Cholan P.
PHAST refers to BBMP’s Public Health Activities, Surveillance and Tracking website.
“We also demand that BBMP take action against software company Xyramsoft for its carelessness in building a software without any security,” Chandra wrote in the letter.
The security lapse “can lead to misuse, exploitation and poses a catastrophic risk overall”, the advocacy group said.
Test results and personal data of anyone who has been tested in the capital of Karnataka can be accessed by typing in their 10-digit mobile number onto the Xyramsoft site, it said.
The BBMP commissioner did not respond to a text message seeking comment as of press time Tuesday.
Xyram founder Nagesh Bhashyam said his firm was just following what BBMP had asked them to do. “You should ask them (BBMP) on what is being allowed and how it is allowed for citizens to access the data,” he said.
The company changed the access code for test result from mobile number to SRF ID on Tuesday evening, hours after the issue was brought to the notice of BBMP and the software company.
Privacy experts said these details can be accessed by data brokers and was a violation of IT rules.
“The IT rules of 2011 clearly states that health record information is ‘sensitive’ data, and the collection, storage, and disclosure of such data must be bound by ‘reasonable security practices and procedures’,” Chandra of FSMI said. “This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individuals personal and sensitive data.”
This breach comes on the back of several alarms raised by cybersecurity experts that health records of Covid-19 patients, including their plasma details and blood groups are available on the dark web. They can be accessed by the likes of banks and insurance companies who can then take a call if a person should be offered a loan or an insurance policy, and how much premium or interest they should be charged based on their medical information.
Srinivas Kodali, a Hyderabad-based researcher working on data and governance, said BBMP should investigate the issue to understand the scale of possible data misuse. “Covid-19 reports available in the public domain clearly shows BBMP’s healthcare IT service provider (Xyramsoft) did not give any layer of security to the personal data,” he said. “This calls for a cyber security audit and BBMP should penalise the software provider.”
Since Xyram is a health surveillance software, there was no need for them to put the data in the public domain, Kodali said. “People will anyway get their test reports from testing laboratories or hospitals,” he said while also holding the civic body responsible for the breach of privacy.
This is not the first time that Bengaluru's civic body has come under fire for data mismanagement. In 2019, in a case of breach of personal data, property tax receipts of 7,700 taxpayers were uploaded online.