Another medical data leak has surfaced online. This time, a medical agency linked with the Indian government exposed records of pregnant women online. The leaky database was online for around a month before the Indian health agency removed the data.
Data Of Indian Pregnant Women Left Online
As revealed recently by researcher Bob Diachenko, an Indian health agency has inadvertently exposed a huge number of records online. The Indian govt. agency exposed the database containing 12.5 million records of pregnant women, on a misconfigured MongoDB. The researcher found this database on March 7, 2019, during the regular audit of BinaryEdge search engine stream.
As elaborated by the researcher in his blog, the leaky database included explicit medical information about the patients.
“The India-based IP contained a publicly accessible dataset of what appeared to be patients records, doctors details, children details, admin passwords, and logins.”
Explaining further about the information exposed, Diachenko wrote,
“The database records included different forms which pregnant women are required to complete and has questions ranging from the mother’s age to family history of genetic ailments, details of the pregnancy and other sensitive information.”
Specifically, the database included 7,449,714 “forms F” – a form necessarily filled by every expecting mother seemingly to fulfill the anti-sex discrimination abortions by the Indian Pre-Conception and Pre-Natal Diagnostic Techniques (PCPNDT) Act.
Apart from these forms, the database also contained other PCPNDT-related forms having patients’ medical information, ZDNet revealed. They also found some whistle-blowing reports regarding the entities performing sex determination tests.
Indian Health Agency Removed The Database, But…
As revealed, the database linked back to the Department of Medical, Health and Family Welfare, allegedly, of a North-Indian state. After discovering this unsecured database, Diachenko repeatedly attempted to reach the owners of the database. However, their attempts to secure the database remained unsuccessful.
Eventually, Diachenko contacted the Indian CERT for help. In response, they did help remove the database, yet, it took them around a month.
ZDNet avoided naming the responsible state of India as they notice that the MongoDB server still remains online and has other details related to agency operations.
These type of leaks seem to be an ongoing occurrence, whereby only earlier this week we reported on a similar leak affecting medical information of more than 800,000 blood donors.