Massive Public Health Data Leak Puts Personal Data of Scores of Citizens at Risk | The Probe Investigation

In what can be called perhaps one of India's largest public health data breaches, lakhs of personal health data, including Covid data of citizens was found to be breached online. This is perhaps one of the most glaring data breaches in the country that exposes the gross incompetence of our security infrastructure in the handling of sensitive personal data of the citizens.

The Probe started its investigation after receiving leads from a source about Covid-19 data of citizens being directly uploaded by many District health authorities - on their website - without taking any security precautions.

We first visited a government website of a district in UP, just a few kilometres away from Uttar Pradesh Chief Minister Yogi Adityanath’s constituency Gorakhpur. We are withholding the information of the district and the website to protect the data of the citizens, but here is a glimpse of what these district authorities uploaded on their website. The image that you see below is one of the compromised pages of the district authorities website, where one can see PDF files being directly uploaded that contain all vital details of the citizens of the district.

The listing of pdf files in the UP district government website that contains Covid-19 related vital information of citizens.

On clicking the unprotected PDF links, we found staggering personal details, including mobile numbers and critical health parameters of thousands of district residents. The serial numbered data has details of the case ID of the patient, the full name and address of the patient, the age, gender, the date of sample collection, the RTPCR test results and what’s worse are the records also showed the mobile numbers of these patients. We found thousands of names and mobile numbers of unsuspecting citizens on many such websites. The reports also enlist the name and signature of the Chief Medical Officers of the District.

Screenshot of the PDF document found on a government website that has people’s name, gender, age, address and mobile number.

Not just in the BJP ruled states, we found such data breaches in Congress, and TMC ruled states as well. This massive data breach cuts across party lines and shows how porous our public health IT infrastructure is and how this permeability compromises citizens' data privacy and personal security.

The image below is a compromised Covid vaccination schedule of a website of a rural government hospital in West Bengal. The data has details related to the beneficiary's name, the beneficiary's designation, their photo id number, mobile number, their office address, and the date of their vaccination.

A screenshot of the compromised data of the citizens

Not just Covid-19 data, when we looked further, we also found government electoral records readily available on the internet due to a breach in internet security in the servers maintained by the government. These electoral records from different parts of the country have complete details of the voter, including the name, father’s name, residential address, voter id, age, sex and photograph. The data breach is so severe that cyber miscreants can easily misuse it. The image below pertains to electoral records of a town in Kurukshetra in Haryana.

Electoral records of voters breached in Kurukshetra in Haryana

What you are now seeing below is page 101 of a 511-page document that consists of voter records from Haryana’s Karnal district. Like in the case of Kurukshetra, this record also has complete details of the voter, including the voter's photograph.

Electoral records of voters breached in Karnal in Haryana

What’s worse is that the details of dead Covid patients are also compromised. We came across many documents that had complete information about people who succumbed to Covid. In particular, a breached document from Lucknow had serial numbers, Covid portal serial numbers, case ids, name, age, gender, the listing of address under urban and rural categories, complete address of the deceased person, mobile number, sample collection date, lab result date, the reason for the closure of the case and the details of the medical facility where the person had received treatment.

This kind of data leak of a dead Covid patient is not just an infringement of a victim or his family’s privacy, but this also showcases how even the basic privacy of the mourning family is compromised. The details are so deep and exhaustive that the names and addresses of these dead patients can be impersonated during elections, and fake id cards can be made in their names.

Complete details of dead Covid patients in Lucknow which is part of the data breach

While the above image reveals the details of patients who have died of Covid-19, what we chanced upon next shook us even more. Thousands of details of beneficiaries and their personal bank account details along with their name, address, father’s name, caste, bank name, branch name, account number and IFSC code - all these details were found strewn all over the internet. From Union Bank of India to Punjab National Bank, from Kashi Gomti Samyut Gramin Bank to State Bank of India, many personal confidential details of citizens were found to be compromised.

Bank account data along with complete personal details of citizens found breached

Not just the bank account details, we discovered many more documents linked to the breached government site that had aadhar and even passport details of individuals. This is a cropped image of the original document that has the contact numbers, passport numbers, including details of the countries visited by the listed people during the pandemic. These documents also have complete addresses of the individuals and details of their families.

Passport data, travel history, along with other critical personal details found to be compromised

Most of these documents were uploaded to the CDN (Content Delivery Network) servers set up within the S3WaaS framework.

S3WaaS is a cloud service developed for government entities to generate secure, scalable and accessible websites. The S3WaaS website is designed, developed, hosted and maintained by the National Informatics Centre (NIC) under the Ministry of Electronics and Information Technology, Government of India.

The site is developed to enable government entities to build websites with an option to choose from various themes, customise and manage the content easily with the primary aim to maintain their online presence.

Also Read: Covid-19: Is the third wave a man-made crisis? | Unbreak the News with Prema Sridevi – Ep 19

Cyber security experts told The Probe that as far as the Covid-19 data breach is concerned, the public health authorities in the districts are mandated to send the local district data related to Covid-19 to the central government's main web platform that stores these details. Many district authorities started uploading the critical data pertaining to citizens mindlessly without taking basic security precautions. It is very clear that the authorities at the centre took little to no effort in adequately training or equipping the local district authorities in the protocols that must be followed before any such data related to citizens can be put on the net. Only an investigation will prove the exact origins or the root cause of the data breaches.

The privacy policy of the S3Waas, states that “NIC S3waas website does not automatically capture any specific personal information from you (like name, phone number or e-mail address), that allows us to identify you individually”.

Whether S3waas automatically captures the personal data of the people or not is not a matter of concern; what is indeed worriesome is the fact that this mother platform has massive data from various parts of the country and today this sensitive information related to the citizens is scattered on the internet. Just a simple search can enable one to access critical data.

This is not the first time a breach has been reported related to the public healthcare system. In June last year, there was speculation about a private entity selling a database of Covid-19 vaccination in India for a price. The messages related to this breach went viral on social media, and soon news reports emerged regarding CoWIN being hacked. CoWin, which is the government’s web portal for Covid-19 vaccination registration, was quick to respond. So was the health ministry.

The Ministry of Health and Family Welfare soon released a statement denying CoWin data breach. The government outrightly ruled out the possibility of such a hack, however, it asked the Computer Emergency Response Team of MeitY to conduct an enquiry and submit a report on the matter. The government since has maintained that its portals and data security system are not vulnerable to any breaches or attacks.

Also Read: The truth about Covid deaths in India | Unbreak the News with Prema Sridevi – Ep 38

But during the course of our investigation, we found a bunch of compromised documents that read: “Data related to Covid vaccination beneficiaries from the CoWin portal”. The document below is a leaf from the main bunch of documents. These records were not just found on the internet randomly. They were linked to the content delivery network of the S3waas platform.

Data linked to the S3waas site that was found breached on the internet.

What recourse does the common man have when his data is breached?

Experts say much needs to be done before we can protect our citizens legally from data breaches and equip them with the tool to fight such cases and get a conviction. The Personal Data Protection Bill, 2019 seeks to provide for the protection of personal data of individuals, but the Bill doesn’t address the major concerns.

Speaking to The Probe, Pavan Duggal, senior advocate and cyber security expert, noted: The data protection act that we have in India in its current form is extremely inadequate. The Personal Data Protection Bill, 2019 does not adequately address the entire gamut of issues related to data protection. It only focuses on personal data, and this is the precise aspect that is being highlighted in support by the Joint Parliamentary Committee, which said that this kind of law should be more generic and more broadly applicable and should not only deal with personal data but also sensitive non-personal data. The Personal Data Protection Bill does not deal with non-personal data. The government needs to do something about this.”

A few days ago, a cyber security researcher Rajshekhar Rajharia had tweeted about the breach of the personally identifiable information of people through a government CDN.

In his tweet, he said: “PII including name, mobile, PAN, Address etc of Covid-19 RTPCR results and CoWIN data getting public through a government CDN. Google has indexed almost 9 lakh public/private government documents in search engines. Patients data is now listed on #DarkWeb. Need fast deindex."

After he sounded the alarm, the government denied the data breach and issued a press statement rubbishing all media reports related to any data breach.

When approached, the Ministry of Health and Family Welfare categorically denied the breach, and they also issued a statement that read Myth vs Facts.

The press statement was titled - No data has leaked from Co-WIN portal. The entire Data stored on Co-WIN is safe and secure on this digital platform.

Mentioning the media reports, the press release stated: “There have been several media reports claiming that the data stored in the Co-WIN portal has been leaked online. It is clarified that no data has leaked from Co-WIN portal and the entire data of residents is safe and secure on this digital platform”.

Almost misleadingly, the government started talking about Co-WIN while in actuality, most of the breached data was linked to the S3WaaS framework.

The ministry further clarified, “While Union Ministry of Health and Family Welfare will enquire into the substance of the news, prima facie the assertion is not correct, as Co-WIN collects neither the address of the person nor the RT-PCR test results for COVID-19 vaccination”.

Also Read: India’s covid-19 vaccine crisis: a fumbling India searches for vaccination to end uncertainty and devaluation

According to Duggal, we only have limited remedies under the Information Technology Act, 2000. “If you find that your data has been breached and if you know the entity from which the data has been breached, then you can sue the entity for damages and compensation. For sensitive personal data, you can sue for limited damages and compensation; if it is non-sensitive personal data, then you can sue under certain circumstances for 5 crore rupees under section 43 of the IT Act, 2000. That apart, the victim can also file a criminal complaint or file an FIR against the entity under the current laws, but the fact is that the government is pretty much in a handicapped position when it comes to dealing with breaches of cyber security because our laws are not strong enough.”

But what recourse does one have when the breach comes from the government itself that is bound to protect the safety and security of its citizens?

According to Ashok Kumar Mohan, Assistant Professor at TIFAC-CORE Centre for Cyber Security at Amrita University, strong laws are the need of the hour.

“There is no point in just having the law in place. In law, you have to give evidence and strong proof before a court of law. We need to prove and back it up with evidence that the breach has happened, along with the details related to the source of the breach. It is very longwinded and very difficult to prove in many cases because of the limited scope of the existing laws that we have. Because of which, most of the time the case goes in favour of the people who have carried out these data breaches.”

The public health infrastructure security systems in India are vulnerable to data breaches and cyber-attacks. India still does not have any dedicated cyber security law in place. We still have the Information Technology Act of 2000, which is the main law, and there are small binary provisions for cyber security under this main law and these provisions only contain cosmetic laws, which in reality is not suited for the entire gamut of cyber security-related problems that we face today.

The “Guidelines for Indian Government Websites (GIGW) Compliance” – a document that lists 115 compliance matrices has clear rules on the quality control, security audit, maintenance checks that have to be performed on government websites. It is clear from the data leak that happened recently that these compliance matrices were not diligently followed. Nevertheless, after the data leak was flagged by IT security experts and reported by the media, some measures were put in place by removing a few pages and denying unauthorised access to a few other pages. However, it is far from being fully rectified since much of the sensitive data is still accessible, and with such massive amounts of data being now indexed by google, removing all the data from the internet is going to be a gargantuan task.

Despite repeated attempts, the National Informatics Centre was not available to comment on the latest data breach instance. While the government has been feigning ignorance and not explaining the reasons for the data breach and what measure it took thereafter to protect the data of the citizens, it now needs to fully secure the data storage facilities and mend the dent of faith endured by people regarding the privacy of their personal data. Many of the citizens are still oblivious to the breach, and the ones we spoke to - who found their confidential details online - are still coming to terms with it.