Medical data of Andhra customers leaked, 27 lakh orders shown on Anna Sanjivini site

This comes just two months after Aadhaar data of least 1.34 lakh citizens of the state was compromised.

Atom Data Breach

Nearly two months after the Andhra Pradesh government made Aadhaar data and other details of at least 1.34 lakh citizens of the state public, purchases of nearly 27 lakh orders of medicines made at the state-run Anna Sanjivini stores, were put in the open.

The details of these purchases were publicly listed on the Anna Sanjivini portal, which has now been taken down.

The homepage of the Anna Sanjivini website displayed the number of stores, the day’s orders and total orders along with the current day’s sales and cumulative sales. On clicking the hyperlinked number of orders, one could simply select the district and store and view details. It showed the name and phone number of the individual, medicine ID, date ordered, which store it was ordered from, along with the quantity ordered and amount paid.

As per the website, a little over 27 lakh orders had been placed so far at Anna Sanjivini stores, which could mean that details of tens of thousands of citizens could have been accessed.

This breach was discovered by security researcher Srinivas Kodali, who claims that these details had been in the public domain for a very long time – maybe even a couple of years. However, after Huffpost reported the issue on Monday, the link has since been removed.

Anna Sanjivini stores are generic medical stores set up by the AP government in 2015 to provide medicines at low costs for all critical and long-term diseases. There are 301 such stores across the state.

“If you are a resident of AP and if you were using any of the govt facilities for medical purposes, all your information including what you purchased has been public for a really long time,” Srinivas says.

He also claims that Chief Minister N Chandrababu Naidu’s dashboard is linked to this. Saying that this seems to be part of AP government’s real-time governance initiative, he adds, “AP CM’s dashboard is the reason why everyone’s been publishing details - because CM wants to track what’s happening in the state. And if this is the kind of info they are collecting, it is really flawed.”

The availability of the data points to the fact that the government has been tracking sales of all medicines, which also means that it has information on the health conditions of every individual that made a purchase at the store.

“There are serious privacy implications of this. It’s a serious breach from a medical ethics point of view because anyone can identify what ailment you have, based on the medicines you buy,” Srinivas says.

According to the Regulation of Privacy in Government and Private Hospitals and Diagnostic Laboratories, the information collected from the patient in both government and private hospitals, is used solely for the purpose that the patient has been informed of.

“Government hospitals however do not let any medical personnel access these records except for the doctor involved in the treatment of that particular patient,” the centre for internet and society website states.

This is also not the first time that data from a government website of Andhra Pradesh has been breached.

Aadhaar data of at least 1.34 lakh citizens in the state, along with their other details like their religion, caste and bank details among other things were made public. The names were part of a list titled ‘Beneficiary Details belonging to Entry Report for Scheme Hudhud’ and were available on the website of the Andhra Pradesh State Housing Corporation.

The page clearly showed the father’s name, address, panchayat, mobile number, ration card number, occupation, religion, caste, Aadhaar number, along with other details, including their bank details like bank branch, IFSC code and account number.