Details of 120 million Indians freely available on Internet: Greenbone report

Medical details of over 120 million Indian patients have been leaked and made freely available on the Internet, according to a recent report published by Greenbone Sustainable Resilience, a German cybersecurity firm.

What is even more worrying is that the number of data troves containing this sensitive data went up by a significant number in the Indian context a month after Greenbone’s initial report was published. The updated report also places Maharashtra at the top of the States affected by the leak.

The first report was published in October last year, in which Greenbone revealed a widespread data leak of a massive number of records, including images of CT scans, X-rays, MRIs and even pictures of the patients.

The follow-up report, which was published in November, classifies countries in the “good”, “bad” and “ugly” categories based on the action taken by their governments after the first report was made public. India ranks second in the “ugly” category, after the U.S.

The report says that in 60 days after the first report was put out, the number of data troves bearing the patients’ information went up from 6,27,000 to 1.01 million, and that the images of patients’ details rose from 105 million to 121 million.

“It is a notable fact for the systems located in India, that almost 100% of the studies (data troves) allow full access to related images,” the report states.

As per the follow-up report, Maharashtra ranks the highest in terms of the number of data troves available online, with 3,08,451 troves offering access to 6,97,89,685 images. The next is Karnataka, with 1,82,865 data troves giving access to 1,37,31,001 images.

“The leak is worrying because the affected patients can include anyone from the common working man to politicians and celebrities. In image-driven fields like politics or entertainment, knowledge about certain ailments faced by people from these fields could deal a huge blow to their image. The other concern is of fake identities being created using the details, which can be misused in any possible number of ways,” a Maharashtra cybersecurity officer said.

Medico-legal expert Lalit Kapoor said any communication between a doctor and a patient was privileged one. “A doctor or a hospital is thus ethically, legally and morally bound to maintain confidentiality,” he said.

PACS servers

Greenbone’s original report says the leak was facilitated by the fact that the Picture Archiving and Communications Systems (PACS) servers, where these details are stored, are not secure and linked to the public Internet without any protection, making them easily accessible to malicious elements.

“The fact that PACS servers are vulnerable to attack or are accessible is not new information, and there have been a number of reports on this topic in the past. No report, however, has dealt with the breadth and depth of the problem associated with unsecured PACS servers,” the report states.