[BreachExchange] Healthcare Data Leak: Over 120 Mn Medical Images Of Indian Patients Left Exposed

Destry Winant destry at riskbasedsecurity.com
Tue Feb 4 10:04:47 EST 2020


https://inc42.com/buzz/india-healthcare-data-leak-over-120-mn-medical-images-exposed/

The medical images include X-rays and scans, while details such as
patient history were also leaked

Mumbai's high-end Breach Candy Hospital and Utkarsh Scans were among
the providers impacted

The leak is a result of bad password practices at these hospitals and
medical service providers

As healthcare gets digitised in the Indian context and with millions
of digital health records being produced every day, healthcare
providers also have to look at cybersecurity seriously. In the latest
data leak related to users in India, over a million medical records
and 121 Mn medical images of Indian patients, including X-rays and
scans, have been leaked online to be freely accessible by anyone.
According to German cybersecurity company Greenbone Networks, the
patient records and scans and images from India also include details
such as the name of the patient, their date of birth, the national ID,
name of the medical institution, their medical history, physician
names and other details that are meant to be classified.
Among the leaked data are medical records belonging to Mumbai’s
high-end Breach Candy Hospital as well as Utkarsh Scans, a relatively
well-known medical imaging provider. Upon review, Inc42 found that the
link where the data has uploaded also allows anyone to download
medical images of patients.
As per Greenbone, the servers storing these records are vulnerable due
to the system used by many healthcare providers. Overall, the company
found 1.19 Bn images in its review in 2020, which is a 60% increase
(up from 737 Mn) from what it saw last year.
According to the company, the security protocol to be followed in
securing these servers had not been followed in this case. The images
are directly available on the internet without any password
protection, which is typically not the case with medical records.
Totally, the research found 97 vulnerable systems in India. “It is a
notable fact for the systems located in India, that almost 100% of the
studies allow full access to related images.”
Greenbone security researcher Dirk Schrader reportedly told ET the
vulnerability in India’s medical systems does not stem from any kind
of software flaw or loophole, but rather is a result of bad security
practices and a “configuration issue.”
The leak of the digital medical records brings to light how insecure
Indian healthcare systems are. As India moves towards data protection
with the Personal Data Protection bill, such healthcare institutions
would be held liable for using unsecured servers and weak password
practices. The PDP bill is also likely to govern all healthcare data
as well.
The government’s National Digital Health Blueprint report has proposed
the creation of district-level electronic databases of citizen’s
health data and registries for all diseases of public importance and
most importantly, proposed a National Health Information Architecture
to roll-out and link systems across public and private health
providers at state and national levels.


More information about the BreachExchange mailing list