top of page

Unprotected database of Indian healthcare agency exposed medical records of 12.5 mil pregnant women

A 3rd party security researcher detected a database belonging to the Department of Medical, Health and Family Welfare of a state in northern India, that was publicly available without any password protection. The unprotected database potentially exposed medical records of almost 12.5 million pregnant women who underwent an ultrasound scan, amniocentesis, genetic testing, or sex determination testing of their unborn child. The database contained almost 7.5 million digitized versions of medical forms and 5 million digitized versions of other 'Pre-Conception and Pre-Natal Diagnostic Techniques Act' and other related forms.

The information stored in the digitized versions of the medical forms include patients’ names, their father names, addresses, ages, phone numbers, diagnosis and disease information, pregnancy status, pregnancy complications, the procedure the patient has undergone, the center where the USG/amniocentesis/genetic test was performed, the date of the test, test results, person who received the test results, information about referring doctors, and many more.

The database also contained data about doctors and clinics who were in the possession of ultrasound machines and other medical equipment that could have been used to perform sex determination tests to determine an unborn baby's sex. Besides, the database also contained complaints made against doctors and clinics that perform sex determination tests.

Other than the patient details, the forms has a declaration by both the parties that the test was done to find out the sex of the baby and an abortion wasn't due to sex discrimination - which is what the Pre-Conception and Pre-Natal Diagnostic Techniques Act aims to achieve.

After the discovery, the 3rd party security researcher attempted to notify the owner of the database, but was unsuccessful. The security researcher contacted ZDNet for help, however, attempts to contact the government agency were similarly unsuccessful. Later, they notified the Computer Emergency Response Team (CERT) of India and took down the medical records stored in the leaky database. However, the entire process took almost three weeks, during which the server and the medical records remained exposed.

Although the medical records are removed from the database, the database is still publicly available online, exposing other agency operations.

You might be asking why a 3rd party security researcher was doing the investigation? In the world of cybersecurity, it is normal and routine for ethical hackers to explore and surf the internet to find out vulnerabilities of websites available in the public sphere. It can be done in the lobby of an office, or even at a Starbucks. They can just logged into the websites of organisations. Just to be sure - they are not hacking into the systems but they are like any typical visitors to a website, they will surf the website. If the website is secured, they would not be able to find any further particulars about the organisation other than those information displayed on the website. If the website is unprotected i.e., a visitor does not need authorisation to search for more information, these cybersecurity professional can access a lot of detail and data on these organisations.

The first task on hand for them is to inform the said organisation of their vulnerabilities. Unfortunately, a lot of times when they do this, the organisations always viewed them as hackers and opportunists trying to create an opportunity for themselves. Thus, the organisations generally 'brushed aside' such alert from these 3rd party cybersecurity researchers.


bottom of page