The data allegedly showed details like name, age, gender, patient ID, ICMR test ID, lab name, test result, sample collection date, hospital name if the patient was hospitalised, among others.

A medical professional with COVID-19 patientImage for representation
news Privacy Wednesday, May 26, 2021 - 18:47

The portal where the Bruhat Bengaluru Mahanagara Palike uploaded information about COVID-19 patients was accessible for a while to all with just the help of a phone number. The data, which was uploaded by a BBMP contractor Xyramsoft, allegedly showed details including name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/negative), sample collected and received date, sample type, hospital name if the patient was hospitalised, as well as status of symptoms. The allegation was made by the Free Software Movement of India, a coalition of organisations working on software freedom, access and privacy. 

FSMI wrote about the breach to BBMP Special Commissioner (Health and Information technology) Rajendra Cholan P, and said it is not hard for any data broker to harness these details by writing an automated script. The data on patients could be accessed by anyone using a phone number, FSMI wrote in its letter on May 25. Economic Times reported that this data remaind accessible to the public for a while.

“The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by "Reasonable security practices & Procedures”. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data,” the letter read. It added that the lack of proper security measures for sensitive health data in the middle of a pandemic “can lead to misuse, exploitation and poses a catastrophic risk overall.”

The BBMP has since then blocked the website where the data was being updated as a part of their Public Health Activities, Surveillance and Tracking (PHAST) website.

FSMI demanded that Public Health Activities, Surveillance and Tracking (PHAST) be shut down immediately until access management and a security audit is done. “We also demand that BBMP take action against the software company Xyramsoft for its carelessness in building software without any security,” it said. 

Speaking to TNM, Srinivas Kodalli, a Hyderabad based researcher and FSMI member said that the civic body should be carrying out an audit both internal and external to gauge all databases for a data leak. He further added that a CERT-IN panel (India’s nodal cybersecurity agency) should investigate the matter and conduct an external audit.

“Public health surveillance is a double-edged sword — if used effectively, it can be very helpful. If not, it may pose a risk. In the case of a data breach of COVID-19 patients in Bengaluru, it seems like the civic body does not know how the data is being used. The already vulnerable people are being scammed because the data is available in the public domain. BBMP should look for other places for data leaks and also conduct audits of the systems,” he said.

Kodalli added that technology is merely a tool in fighting the pandemic, but the civic body is not appropriately managing these tools. “Governance bodies involving IT support in the fight against COVID-19 which is scary since they do not have much experience with the management of such wide-spread diseases. The BBMP should be focusing on getting more epidemiologists on board rather than the IT sector,” he said.

ET had quoted the founder of Xyram, Nagesh Bhashyam, saying that the firm was doing what they were told by the civic body to do.

This isn’t the first time Bengaluru’s COVID-19 patient has been accessible.

In November last year, a Bengaluru resident accidentally found a massive loophole in the Karnataka government’s website where people could check their COVID-19 results. At the time, resident Shashi Kumar put out a series of tweets explaining how sensitive information could be obtained just with the SRF number issued at the time of testing.

Early on in the pandemic, on the day India’s lockdown began, the Karnataka government made addresses of those under home quarantine public, including 14,000 people from Bengaluru.

It is important to note that India doesn’t have a data protection law.