The Bruhat Bengaluru Mahanagara Palike has woken up to a security lapse in the collection of COVID-19 test data that includes health records of citizens collected for its PHAST (Public Health Activities, Surveillance and Tracking) portal. This breach, which allows a hacker to access information by running a script, was brought to the civic body’s attention by the Free Software Movement of India.
After they showed how the data could be easily accessed just with the phone numbers, BBMP on Wednesday, shut down the site.
The sensitive data that was published on the portal included patients’ name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/ negative), sample collected and received date, sample type, hospital name (if the patient is hospitalized), status of symptoms.
This information was published on the portal by a BBMP contractor.
The Free Software Movement of India has urged officials to not only conduct a security audit but to also take action against the software company for “its carelessness in building software without any security.”
In a letter to BBMP Special Commissioner (Health and IT) P. Rajendra Cholan, Kiran Chandra, general secretary of Free Software Movement of India, said it was not hard for a data broker to harness these details by writing an automated script.
“The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by ‘Reasonable security practices and procedures’. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data. The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall,” the letter read.
Srinivas Kodali, also from Free Software Movement of India, said that it was still unclear how many people were making use of this data. But he stressed on the immediate need for the civic body to take up a cyber security audit, as mandated under the IT Act. He pointed out that this was not the first time such issues of personal data breach had happened in the BBMP and cited data leak from the civic body’s call centres, which lead to the alleged bed blocking scam.
BBMP Chief Commissioner Gaurav Gupta clarified that the site was made accessible to the public in October last year for citizens to download their COVID-19 certificates, to access which they had to key in both the SRF ID and mobile number. However, when the SRF ID generation started to get delayed, a decision was taken to do away with it and just keep the mobile number field. “This was neither a design fault or any security lapse. It was a feature to allow easy access,” he said. However, he admitted that an additional security feature, such as OTP, could have been introduced.
He added that the civic body would once again check the data design. Stating that security audits are taken up regularly, he said administrative action would be taken to set right any lapses.