[BreachExchange] Indian govt agency left details of millions of pregnant women exposed online

Destry Winant destry at riskbasedsecurity.com
Wed Apr 3 07:45:17 EDT 2019


https://www.zdnet.com/article/indian-govt-agency-left-details-of-millions-of-pregnant-women-exposed-online/

A database managed by an Indian government healthcare agency was left
connected to the Internet without a password, where it exposed more
than 12.5 million medical records for pregnant women, ZDNet has
learned.

Records go as far back as five years, to 2014, and include detailed
medical information for women who underwent an ultrasound scan,
amniocentesis, or other genetic testing of their unborn child.

THE DATABASE'S OWNER

The database belonged to the Department of Medical, Health and Family
Welfare of a state in northern India. ZDNet has refrained from naming
the state.

The reason is that the database is still available online without a
password. The good news is that the medical records have been removed
from the database. However, removing these records wasn't an easy task
and it took more than three weeks to have them taken offline.

The database was discovered by Bob Diachenko, a security researcher
with cyber-security consulting firm Security Discovery, in early March
2019.

The researcher's initial attempts to secure the server were
unsuccessful. Due to the nature of the data, the researcher contacted
ZDNet for help, but our efforts to contact the government agency were
similarly unfruitful.

The database was eventually secured with the help of the Computer
Emergency Response Team (CERT) of India, but the entire process took
three weeks, during which time the server and the medical records
remained exposed for anyone to download.

The government agency secured the leaky server last Friday, March 29.
Because the MongoDB server is still exposed online, revealing other
agency operations, ZDNet has decided to refrain from naming the Indian
state to prevent further abuse of its systems.

THE SENSITIVE NATURE OF THE EXPOSED DATA

But the leaky database didn't contain just some generic medical
records. The exposed medical information is connected to the
Pre-Conception and Pre-Natal Diagnostic Techniques Act (PCPNDT), an
Indian law passed in 1994 that banned prenatal sex determination in an
attempt to prevent Indian families from aborting unborn girls and
skewing the gender sex ratio towards males.

According to this law, any medical test that may reveal an unborn
child's sex in India must be carried out only for legitimate medical
reasons, and all tests must be recorded, along with the reasons for
performing them.

The leaky database that Diachenko discovered was holding the digitized
versions of medical forms (Form F) going back as far as 2014.

Speaking to ZDNet, Dr. Krishna Shah, a Resident at Sir Gangaram
hospital in Delhi, explained the role of Form F and if leaving such
information exposed online is considered a serious privacy issue.

"Every pregnant lady on her visit to the gynecologist or radiologist,
undergoing USG, amniocentesis or any genetic testing has to fill form
F," Dr. Shah told ZDNet.

"Other than the patient details, the form has a declaration by both
the parties that the test was done to find out the sex of the baby and
an abortion [...] wasn't due to sex discrimination - which is what the
Pre-Conception and Pre-Natal Diagnostic Techniques Act aims to
achieve."

And just like Dr. Shah told ZDNet, the information stored in the
digitized versions of these forms included a wealth of personal and
medical recrods, such as the patient's name, the father's name, the
patient's address, her age, a telephone contact number, diagnosis and
disease information, pregnancy status, pregnancy complications, the
procedure the patient has undergone, the center where the
USG/amniocentesis/genetic test was performed, the date of the test,
test results, person who received the test results, information about
referring doctors, and other.

Besides 7.5 million digitized versions of Form F, the database also
contained five million digitized versions of other PCPNDT-related
forms, such as Form A, Form D, Form E, and Form G, containing similar
medical data.

The database also stored data about doctors and medical centers who
were in the possession of ultrasound machines and other medical
equipment that could have been used to determine an unborn child's
sex.

In addition, the server also contained complaints made against doctors
and medical centers, and whistle-blowing reports about doctors and
medical centers performing sex determination tests. Some examples of
these whistleblower reports [sic]:

Dear sir [REDACTED] diagnostic centre [REDACTED] is doing sex
determination before delivery from ultrasound daily and taking good
money near about 3 to 4 thousand... Pls sir take action...

There is sex selection camps at [REDACTED] and organized by some from Bijnaur.

A Staff Nurse Namely [REDACTED] is Involved In Female Foeticide Case
with The help of Dr. [REDACTED]. I have Many complained against her in
CMO office & DM office but No action taken by him. She had her
abortion on 26/27-10-2014 which is also female Foeticide case, and I
have complaint this crime but result is null.

A separate database showed the progress of some of these user reports
and contained information about the legal status of some complaints
that have gone to court following a government's investigation.

"Though the form forms the backbone of the Pre-Conception and
Pre-Natal Diagnostic Techniques Act, it is a point of concern if the
personal details of patients are left unprotected on the internet,"
Dr. Shah added.

Leaving such sensitive information inside a passwordless MongoDB
server is akin to breaking doctor-patient confidentiality.

While the database did not contain information about all pregnancies
recorded inside the unnamed Indian state, it did contain medical
records for women who suffered pregnancy complications and abortions,
data that some families would have liked to remain private, due to
obvious reasons.


More information about the BreachExchange mailing list