In a major glitch, Covid-19 patients’ data including personal information uploaded on Bruhat Bengaluru Mahanagara Palike’s portal was accessible for a while with just the help of a phone number on Wednesday.
The data was uploaded by a BBMP contractor Xyramsoft allegedly showed details including name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/negative), a sample collected and received date, sample type, hospital name if the patient was hospitalised, as well as the status of symptoms.
The issue came to light after the Free Software Movement of India (FSMI), a coalition of organisations working on software freedom, access, and privacy made this allegation, reported The News Minute.
The body wrote to the BBMP Special Commissioner (Health and Information technology) Rajendra Cholan P about the data breach and stated that it is not difficult for any data broker to harness these details by writing an automated script. The data on patients could be accessed by anyone using a phone number, FSMI wrote in its letter on May 25. Reportedly, the data was accessible to the public for a while.
“The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by “Reasonable security practices & Procedures”. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data,” the letter read.
Lack of proper security measures for sensitive health data in the middle of a pandemic can lead to misuse, exploitation and poses a catastrophic risk overall, it added.
Taking cognizance of the breach, the BBMP has blocked the website where the data was being updated as a part of their Public Health Activities, Surveillance, and Tracking (PHAST) website. FSMI has demanded that PHAST be shut down immediately until a security audit was done, and the BBMP should take strict action against the software company Xyramsoft.
Reportedly, this isn’t the first time Bengaluru’s COVID-19 patient has been accessible, earlier, in November 2020, a Bengaluru resident accidentally found a massive loophole in the Karnataka government’s website where people could check their COVID-19 results.