Bengaluru: With several Covid patients alleging “data leak” after getting calls from private companies offering to provide sanitisation and fumigation services, officials in the Covid war room in Bengaluru agreed there was a “loophole” in the system. The officials, however, claimed there was “no data leak”, and that the problem has been rectified.
“Someone pointed out the vulnerability on our website. We took immediate action and have plugged it. There has been absolutely no data leak and patient information remains confidential,” state Covid war room chief Munish Moudgil told ThePrint.
While the war room received at least 15 telephonic complaints from patients in Bengaluru till last week, it was a 10 November Twitter thread by Bengaluru-based programmer Shashi Kumar Sah that drew the department’s serious attention to the problem.
DATA SECURITY IN OUR COUNTRY IS A JOKE!
Karnataka Govt is leaking private info of those who got tested for COVID.
In this thread, I will share my experience with the COVID test and how I learned about the way our Govt is exposing our personal data.
— shashi (@devzoy) November 10, 2020
After the “loophole” was noticed, it was investigated and plugged within 48 hours, the officials claimed.
“I can say emphatically that there is no data leak either from IT systems or from the state data centre,” Moudgil said.
Telemarketers knew all details, says patient
A marketing executive in Bengaluru said she got a telemarketing call shortly after she and other members of her family tested positive for Covid in the first week of October.
Speaking to ThePrint, the 35-year-old, who did not wish to be identified, said she was surprised that the caller knew her family’s Covid-positive status.
According to her, all members of her family got calls, sometimes up to 25 a day, from companies offering services such as the fumigation and sanitisation of their residence, but they would refuse to divulge where they had accessed the patient details from.
“The calls began soon after we got our test results,” the executive said. “My brothers and mother had also tested positive. All of us got calls on our cell phones separately. It was not just one or two calls, there were almost 25 calls per day asking us if we would like to avail their services.”
And she wasn’t the only one. Many others in the city got similar calls, and feared leak of data, which may include details such as phone number, address, testing centre and the result of the patient.
War room officials confirmed to have received at least 15 complaints this month.
Patients said they often answer calls from unknown numbers assuming it is a call from the health department, which tracks Covid patients and calls them at regular intervals to check their status and provide medical assistance if needed.
A Bengaluru-based IT executive, who tested positive earlier this month, told ThePrint: “The health officials regularly check if we have any new symptoms or need medicines or vegetables delivered to our homes. They are very professional. But these companies annoy us. We cannot avoid those calls as we pick them assuming it is the health officials calling us.”
‘Data security is a joke’
Shashi Kumar Sah, whose Twitter thread brought the issue to light, said he stumbled upon the loophole after he tried to check his own Covid test result. He had given his samples for a test after a case of Covid-19 was reported from his apartment complex.
“Data security in our country is a joke! Karnataka Govt is leaking private info of those who got tested for COVID,” he posted on Twitter on 10 November, sharing his experience in a thread.
Speaking to ThePrint, Sah explained how easily he could access details of patient data.
After waiting for five days to hear from the officials about his result, he said, he decided to use his 13-digit SRF (Specimen Referral Form) ID — a number assigned to patients who have undergone a test — on the Covid war room website.
At first try, Sah got a message that asked if his SRF ID was correct.
“I got the message on the site that said that I should check my SRF ID again or if the number is correct, the result is still being processed,” he explained.
After several attempts, Sah decided to check what happens if he enters the identification number after changing its last digit. To his surprise, the initial page showed a different patient’s name, laboratory, test results and sap collection date, along with the SRF ID and the ICMR ID.
He found out that if the test result is positive, the website throws up more data including the patients BU (Bengaluru Urban) number, which is given by the health department to patients who have tested positive for Covid-19.
When he delved further, Sah said, he found out that the Application Programme Interface (API) was public and gave out all personal details that are not shown on the website. He said he was able to easily access the name, address, phone number, testing centre and test result of a patient.
“The patient’s contact number, age, gender was all there. The API essentially takes the input (SRF ID), processes the information, fetches the result from the database and displays it on the website,” Sah told ThePrint. “You write a short python script and the result is displayed in its entirety. I did it in less than five minutes. If I can do it, what stops profit making companies such as those making sanitisers from using this information to further their businesses.”
‘Authorities should have been more careful’
N. Vijayashankar, data protection and data governance expert, is of the opinion that if the Karnataka state Covid patient database could be easily accessed, it clearly means there was a failure on the part of the authorities to adequately encrypt it.
“Encryption is not a complicated thing and they should have been more careful,” he told ThePrint. “If anybody tried to hack the website and collect information, it amounts to a criminal act. But if it is freely accessible, then the authorities are to blame.”
Speaking to ThePrint, state Covid war room chief Moudgil, however, said there are strict instructions for everyone involved in the process of contact tracing, enforcing home isolation and dealing with patients “to maintain data confidentiality”.
“It may be noted that due to very nature of contact tracing and home isolation enforcement, many staff and authorised volunteers work on the ground contacting Covid patients for contact tracing. Also, many staff and authorised volunteers visit homes of patients in home isolation. That’s essential work. We have strictest instructions to all to maintain data confidentiality, and violations will be dealt by an FIR against the defaulters whoever they may be,” he added.