COVID-19: FSMI Writes to BBMP on Testing Data being Exposed

The Free Software Movement of India (FSMI) – a country-wide collective of organisations working on software freedom, access and privacy – has writted to the BBMP on Wednesday asking for its PHAST portal to be shut down due to it having exposed COVID-19 testing data.

According to FSMI's letter to the Bruhat Bengaluru Mahanagara Palike (BBMP), the latter's Public Health Activities, Surveillance and Tracking (PHAST) software was exposing COVID-19 data on a website being run by its contractor, Xyramsoft. The website was not accessible as of noon on Wednesday.

FSMI's letter stated that the organisation noticed it could access COVID-19 test data using their phone number and that it was aple to access patient record details like Name, Age, Gender, Patient ID, ICMR Test ID, Lab Name, Test Result, Sample collected and received date, Sample type, Hospital name (if the patient was hospitalised) and the status of symptoms.

"It is not hard for any data broker to harness these details by writing an automated script," FSMI said in its letter.

The IT Rules of 2011 mentions that "medical records and history" is classified as 'sensitive personal data or information' and that the storage and disclosure of such data must happen with " Reasonable security practices & Procedures" in place.

In its letter the FSMI said that the PHAST portal's practices were a "clear violation" of the rules and that it showed "an appalling lack of attention to protecting individual’s personal and sensitive data. The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall."

"Government cannot neglect the responsibility of protecting the sensitive data of its citizens and it must ensure the rule of law. We demand an immediate shutdown of this PHAST site until access management and a security audit is done. We also demand that BBMP take action against the software company Xyramsoft for its carelessness in building software without any security," the FSMI said.

Data pertaining to health, especially during the COVID-19 pandemic, has become a cause for concern. Writing for Newsclick about the National Digital Health Mission (NDHM), health expert J.S. Majumdar had said that NDHM had two modules, "Personal Health ID and Personal Medical Data. Personal Medical Data will be available to private companies, while the government will control the Personal ID data, it has been announced. This means an individual’s medical history and other details will be available to private companies and will be in public domain. The consequences of this are unimaginable, including the use of such data for commercial purposes and its potential for use in trials of new medicines by the MNCs, such as COVID vaccines etc."

With all kinds of data also open for sale on surreptitious platforms, health data is considered to be among the most valuable since companies can cater treatments and even insurance based on it.

According to a 2019 report by US-based cybersecurity firm Trustwave, healthcare data is valued at upto $250 per record on the black market. Financial data like card-related information was valued at only about $5.40 per record in comparison.