A data leak from a pathology laboratory has taken the medical fraternity by surprise after a web security expert and blogger tweeted about the same. As many as 40,000 medical records from the Health Solutions pathology laboratory, Thane, were leaked by a hacker six months back but the breach has come to light now after blogger Troy Hunt took to the social media about it.
The leaked data contained results of tests of patients at the Health Solutions along with other details like name, age, addresses etc. Many reports also had results of the HIV tests. City pathologists say the leak is of great concern as many corporate pathology laboratories use servers for data recording which can be misused. After coming across the leak, Hunt tweeted, “Reporting tens of thousands of exposed medical records indexed by Google and containing test results for things like HIV is not fun”. In another tweet, Hunt said, “I need a Mumbai local to call up the local pathology centre leaking all their patient data and have them get in touch with me. Any takers?”
When The Hindu contacted administrator of Health Solutions, Rodrigues Kustas, he said they had hired a firm to keep the data on a server. “They did not do a good job and hence we got another company to do the work. The data leak was six months ago and by now we already have a new server,” said Mr. Kustas adding that they are an accredited laboratory and such a breach was unintentional. However, the data leak was not reported to the cyber cell by Health Solutions.
According to Dr. Prasad Kulkarni, executive member of Maharashtra Association of Practicing Pathologists and Microbiologists (MAPPM), such a breach of patients privacy is simply unacceptable. “We have so far not received any complaint against the laboratory but patients data should be guarded stringently,” said Dr. Kulkarni adding that such data can be used for marketing purposes and also lead to harassment of patients. “For example, if someone’s report shows high blood sugar, that particular information can be used by anyone who is marketing medicines or a medical set up for that matter,” he said. “It needs to be investigated if the data was leaked accidentally or intentionally,” he added.
“We have taken necessary action by deleting all records from the website and it has been shut down temporarily to ensure that none of the private information of any of our patients goes into public domain. While the website has been hacked, none of the confidential information on health issue of any of our patients has been compromised,” said Amit Sharma, director of HS Pathology Private Ltd.