If you don’t think twice before sharing your name and phone number with medical storekeepers to put on the bill, you’re going to re-analyse this action once you hear what happened in Andhra Pradesh.
If on June 13, people who bought medicines from Anna Sanjivini — a government-run chain of medical stores — at Anantpur in Rayalaseema in Andhra Pradesh later found their names, phone numbers, and purchases listed on an Andhra Pradesh government website.
The data was taken down after Huffington Post contacted Anna Sanjivini.
According to reports, an unsecured dashboard on the Anna Sanjivini website published the customer information from all such stores on the site.
Further, the interface, discovered by security researcher Srinivas Kodali, “contains thousands of pages of daily data and each order shows the order ID, the store operator ID, customer name, customer phone number, details of the medicines, and the money paid.”
The breach is in contravention of the draft of the Digital Information Security of the Healthcare Act (DISHA).
In the draft, the ministry of health highlights: “Any health data including physical, physiological, and mental health condition, sexual orientation, medical records and history, and biometric information are the property of the person who it pertains to.”
Also, the draft DISHA states, “Any person who commits a serious breach of healthcare data shall be punished with imprisonment, which shall extend from three years and up to five years or fine, which shall not be less than $6,164 (INR 5 Lakh).”
For quite some time, there have been increasing reports that some unidentified groups were found selling the Aadhaar data of India’s over 1 Bn population at just $7.88 (INR 500).
Also, recently reports surfaced that the data of NaMo app users was being sent to the US company Clever Tap. French security researcher Elliot Alderson, who revealed the NaMo data leak, has been continuously highlighting the major issues and lack of data privacy under Aadhaar.
This data leak of medical information might seem small in comparison to some bigger data breaches in recent time, but for citizens, this is a major breach of trust by the government, which is mandated to keep their privacy secure.
[The development was reported by HuffPost.]