Unprotected database of Indian government healthcare agency exposed medical records of 12.5 million pregnant women
- The leaky database exposed medical records of almost 12.5 million pregnant women who underwent an ultrasound scan, amniocentesis, genetic testing, or sex determination testing of their unborn child.
- The database did not contain medical records of all pregnant women recorded in the particular Indian state, however, it contained medical records of only women who suffered pregnancy complications and abortions.
What is the issue - A security researcher Bob Diachenko detected a database belonging to the Department of Medical, Health and Family Welfare of a state in northern India, that was publicly available without any password protection.
What information was exposed?
The leaky database exposed medical records of almost 12.5 million pregnant women who underwent an ultrasound scan, amniocentesis, genetic testing, or sex determination testing of their unborn child.
The database contained almost 7.5 million digitized versions of medical forms (Form F) and 5 million digitized versions of other ‘Pre-Conception and Pre-Natal Diagnostic Techniques Act’ (PCPNDT) related forms such as Form A, Form D, Form E, and Form G.
The information stored in the digitized versions of the medical forms include patients’ names, their father names, addresses, ages, phone numbers, diagnosis and disease information, pregnancy status, pregnancy complications, the procedure the patient has undergone, the center where the USG/amniocentesis/genetic test was performed, the date of the test, test results, person who received the test results, information about referring doctors, and more.
The database also contained data about doctors and clinics who were in the possession of ultrasound machines and other medical equipment that could have been used to perform sex determination tests to determine an unborn baby's sex.
Besides, the database also contained complaints made against doctors and clinics that perform sex determination tests.
What is PCPNDT?
Pre-Conception and Pre-Natal Diagnostic Techniques Act (PCPNDT) is an Indian law passed in 1994 that banned prenatal sex determination in order to prevent female foeticides.
According to this Act, any medical test that may reveal an unborn child’s sex in India is illegal and punishable under law. Such tests must be performed only for legitimate medical reasons and must be recorded along with the reasons for performing them.
What is Form F?
According to Dr. Krishna Shah, a Resident at Sir Gangaram Hospital, Delhi, exposing Form F information is a serious privacy issue.
“Every pregnant lady on her visit to the gynecologist or radiologist, undergoing USG, amniocentesis or any genetic testing has to fill form F,” Dr. Shah told ZDNet.
“Other than the patient details, the form has a declaration by both the parties that the test was done to find out the sex of the baby and an abortion [...] wasn't due to sex discrimination - which is what the Pre-Conception and Pre-Natal Diagnostic Techniques Act aims to achieve,” he added.
Worth noting - The database did not contain medical records of all pregnant women recorded in the particular Indian state, however, it contained medical records for only women who suffered pregnancy complications and abortions.
Why it matters - The unprotected database is still available online without any authentication.
Bob Diachenko, who detected the leaky database attempted to notify the owner of the database, but he was unsuccessful. Later, the security researcher contacted ZDNet for help, however, attempts to contact the government agency were similarly unsuccessful.
Later, they notified the Computer Emergency Response Team (CERT) of India and took down the medical records stored in the leaky database. However, the entire process took almost three weeks, during which the server and the medical records remained exposed.
Although the medical records are removed from the database, the database is still publicly available online, exposing other agency operations.