Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Indian Government Sites Leaking Patient COVID-19 Test Results

Indian Government Sites Leaking Patient COVID-19 Test Results

Websites of multiple Indian government departments, including national health and welfare agencies, are leaking COVID-19 lab test results for thousands of patients online.

These leaked lab reports which are being indexed by search engines expose patient data, and whether they tested positive for coronavirus.

Google indexes COVID-19 lab test reports

This week, while searching for a means to obtain COVID-19 test results online, I accidentally came across what looked like exposed COVID-19 test results for thousands of patients.

As observed by BleepingComputer, each of these PDF reports showing up on Google were hosted on *.gov.in and *.nic.in domains.

These domains belong to multiple government agencies located in the national capital of New Delhi.  

Each PDF contained hundreds of records of patients who underwent an RT-PCR test, and exposed:

  • patient name
  • age and/or date of birth
  • report identifier numbers, including the nationally-trackable Specimen Referral Form (SRF) ID used by government authorities
  • dates of testing
  • hospital site where testing took place and the doctor’s information, and
  • whether the patient tested positive or negative for the SARS-CoV-2 virus
COVID19 test results leaked india
Each PDFs has pages of tables exposing COVID-19 test results for hundreds of patients
Source: BleepingComputer

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

While a majority of lab test reports are dated between November 2020 and January 2021, BleepingComputer also observed reports from April 2020 and earlier, as a part of this leak spanning across multiple government agencies.

In addition to summary tables, some files also had entire scanned sheets of individual patient lab test reports enclosed within.

Redacted COVID-19 test report found in leaked PDF
Some PDFs also contained individual lab test reports per patient
Source: BleepingComputer

The number of patient records contained in the few PDFs analyzed by BleepingComputer already exceeded 1,500 when totaled.

We estimate that even more patient records are leaking in real-time.

Government asks testing labs to provide data for ‘test, trace, isolate’

Both public and private COVID-19 testing labs in India are required to report every RT-PCR test result to the designated government agencies, as a part of the country’s ongoing “test, trace, isolate, treat” efforts.

A physician who is the director of one such lab told BleepingComputer:

“In order to successfully implement the test-trace-isolate process, the government often requires labs to send patients’ test results to the relevant government authorities. This is in addition to the data uploaded by labs onto the Indian Council of Medical Research (ICMR) web portal, where every RT-PCR test done in India is documented.”

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

Every leaked COVID-19 test report observed thus far by BleepingComputer, even the ones hosted on different government domains, have an identical URL structure.

Based on the URL structures, it appears, the PDFs are hosted on the same CMS system which is used by the Indian government offices for posting publicly accessible documents, like job interview notices, business tender bulletins, etc. 

It is likely, the employees who uploaded these COVID-19 test reports onto the CMS intended to share these internally, without realizing these reports were being inadvertently shared via a publicly accessible system.

On discovering the leak and verifying its origin, BleepingComputer promptly reached out to relevant parties including multiple Delhi government offices, National Informatics Centre (NIC), Digital India, and the Indian CERT.

Online COVID-19 test verification systems typically restricted

Multiple Indian states have rolled out web portals that let government offices and healthcare professionals share data and easily verify the authenticity of COVID-19 reports online using their SRF ID.

These systems are, however, restricted from the eyes of the general public.

Further, these web portals are secured with captchas, and require an additional verification parameter, such as the registered phone number of the authorized healthcare worker, before the test result can be disclosed.

COVID-19 Assam test results portal
Government systems disclosing COVID-19 results are usually restricted to authorized personnel
Source: COVID-19 Assam test results portal

This measure both restricts data access to limited parties involved in test-trace-isolate programs and makes it easy for authorities such as airport staff to distinguish authentic COVID-19 test reports from fakes.

Under no circumstances are COVID-19 test results for multiple patients meant to be exposed to the general public or be made available for bulk web scraping.

While this leak has originated on Indian government websites, previously, some private labs risked exposure of COVID-19 test reports due to insecure QR code implementations.

BleepingComputer has reached out to relevant parties including the Delhi government offices, National Informatics Centre (NIC), Digital India, and the Indian CERT multiple times for comment but we did not hear back.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us