Ethical hacker says server allows access to Aadhaar, PAN cards, and details of organ donors and recipients among others.
New Delhi: The data server at Sanjay Gandhi Post-graduate Institute of Medical Sciences in Lucknow – a top institution in north India – is vulnerable to breaches, an ethical hacker has claimed.
But despite pointing out the vulnerability authorities at the institute have done little to plug loopholes to prevent data theft, he has said.
Rishi Dwivedi, the ethical hacker, told ThePrint that the poorly secured data server allowed easy access to not only personal records of thousands of patients but also their medical histories.
This includes verification documents for organ donations, details of organ donors and recipients along with their photographs, addresses, marriage certificates, PAN cards, Aadhaar details and voter ID details.
It also allows hackers access to medical reports from the institute’s nephrology department, notarised documents related to organ donation, and reports related to the Bhabha Atomic Research Centre (BARC) on radiation doses to individuals.
The state-run Sanjay Gandhi Institute is the premier healthcare centre in the region and is among the top medical institutions in the country. It plans to evolve into a centre for renal transplants.
‘Easily accessible’
Dwivedi told ThePrint that all these vital documents are easily accessible.
“It takes 15 to 20 seconds to access the records. Their whole server is in open source. Online forms being filed on their webpage or attachment being sent, can all be downloaded. Aadhaar cards, voter ID cards, RTI information, agreements for donating organs, are all accessible,” he said in an email.
Also read: Data protection report ready but still no agreement on including Aadhaar
Dwivedi says he alerted the institute through email on 31 August but is yet to receive a response, while the vulnerability remains. “I am waiting for their reply. It looks like they are not concerned about the sensitive data of patients. However, it’s routine in India as no one is concerned about data and this is the biggest drawback of our system,” he said.
Reached by ThePrint for comment, SGPGIMS director Prof. Rakesh Kapoor said he was not aware of the vulnerability but promised to strengthen systems. “This is not in my information as yet and there are several departments handling different groups of information for the vast institute. I will look into the matter and make the systems more fool-proof,” he said.
‘Vital data that could be sold’
Experts say such medical data and ID data could be “simply sold in the black market”.
Pukhraj Singh, a cyber-intelligence analyst with 14 years of experience, says the spectrum of abuse is very broad for the likes of medical information, voter ID, Aadhaar. “From simple identity theft to state-sponsored espionage, (such) databases offer a wealth of information to anyone with ulterior motives,” Singh said.
According to Pukhraj, the vulnerable server at the Lucknow institute “is a serious oversight which could punishable under DISHA, the proposed (Indian) healthcare cyber-security law”.
“In general, healthcare providers in India have been known to not even follow the basic security guidelines. To add to that, such databases are valued in the black market, so these unprepared companies are now battling against sophisticated actors,” Pukhraj said.
Also read: Data protection panel ‘may have’ been a divided house, decision is collective: Justice Srikrishna