The Department of Medical, Health and Family Welfare of a state government in India has been found in the middle of a data security lax, that could have led to significant misuse and breach. According to reports, the state government division, which has been unspecified owing to security reasons, had connected its database to the internet and subsequently left it unsecured, without any password.
The breach was discovered by cyber security researcher, Bob Diachenko. The database in question holds almost 12.5 million records of medical files, pertaining to pregnant women and other pregnancy related affairs. The information holds a significant amount of detail, including medical data such as ultrasonically results, amniocentesis, genetic tests of the foetus, pregnancy and surgical procedure history, and personal data such as name, age, telephone numbers and residential addresses. Furthermore, it also included test center and doctor details, with date and exact procedural data of the concerned state’s pregnancy procedures.
While the database has since been secured by the Computer Emergency Response Team (CERT), the information is still available online without any password protection, resulting in the threat still being extant. Along with the obvious aspect of personal information leakage, the extensive set of medical reports may also put a large number of individuals, doctors and medical centres in jeopardy. The Pre-Conception and Pre-Natal Diagnostic Techniques Act (PCPNDT) of India, 1994 forbids pre-birth gender determination, and was established in a bid to restrain female foeticide and establish gender equality across the nation.
As a result, the information in store can lead to criminal charges being filed against all parties involved in such acts. The database contains information worth over five years, and includes information from over 7.5 million core data, and 5 million other ancillary data pertaining to pregnancy and misuse of medical equipment. Also in store were complaints by individuals against doctors and medical institutions practicing such unlawful acts.
It remains to be seen what course of action is eventually taken. While the server has been secured with a password since Friday, March 29, the MangoDB server still remains online and unsecured, which does not rule out the possibility of a potential data hack attack some time in future.