A cybersecurity researcher has recently revealed that the Indian government’s health portal, Online Registration System (ORS) compromised the privacy of two million patients, last year.
According to cybersecurity researcher Avinash Jain, a flaw in ORS website allowed users to access patient details — name, address, age, mobile number, appointments, Unique Health Identification (UHID), partial Aadhaar numbers, and disease details.
The researcher also told ET that the government had fixed the bug in October last year, three weeks after Jain alerted the cybersecurity agency, Indian Computer Emergency Response Team (CERT-In).
Launched in 2014 under the Digital India initiative, ORS is a website that connects various hospitals across the country for Aadhaar based online registration and appointment system. According to the website, the portal has over 237 registered hospitals. The site also notes that since its launch, the portal has been used to book over 3.1 Lakh appointments. On November 26, till 4:10 PM, the portal was used to book 2,223 appointments.
This is not the first that a government’s website has fallen prey to a data breach. In September 2019, French cybersecurity expert Baptiste Robert, who goes by the pseudonym Elliot Alderson on Twitter, revealed a data breach in the Gujarat government’s real estate regulatory authority (RERA) website.
Elliot Alderson noted that the portal had allegedly left one of the URL unprotected, which exposed sensitive deals like PAN Card, Aadhar Card, passport size photos and income tax details of the customers.
The French cybersecurity researcher had also shared the link to the file on the tweet. Numerous Twitter users confirmed that they were able to access the details of the Indian citizens.
Similar cases have taken place in the past as well. In May this year, Andhra Pradesh government exposed Aadhaar data of thousands of its state farmers by publicly uploading the list of scheme beneficiaries on the agricultural ministry’s website. The database contained private details such as mobile number, caste, village division, and benefactor’s Aadhaar number.
Then in January 2019, Aadhaar database of government workers in Jharkhand was leaked by a state government’s website, which left the details of these workers exposed without a password.