The medical records of over 43,000 people have been accidentally made public after being put online by a pathology lab in Mumbai. The reports contain confidential details like names, addresses, dates of birth, and blood test results. They also include details of patients who have had blood tests done for HIV detection. Some included in the breach are as young as 17.
The reports, which the pathology lab Health Solutions was storing in an unprotected folder on its website, were accessible to anyone with the right URL. Worse, since the reports were exposed, they have already been indexed by Google and likely other search engines too. BuzzFeed News was able to access the folder via a simple search.
The breach was first discovered by web security expert Troy Hunt, who told BuzzFeed News that reports were stored in a folder with directory listing enabled. “What this meant was that there was literally a folder describing all the 43,000-plus files,” said Hunt. “This also means we have no idea of how many people have seen the files — they could have been viewed within cache.” Hunt was also able to find out that the reports were sitting on a server located in Provo, Utah.
None of the reports were password protected or had any kind of access control on them, which means that anybody could download anybody else’s pathology reports. “It’s about as bad as it gets, security-wise,” Hunt said.
When BuzzFeed News contacted Rodrigues Kustas, administrator at Health Solutions, he denied any knowledge of the breach before disconnecting the call. Kustas called BuzzFeed News back 30 minutes later, saying he was now aware of the breach. He said Health Solutions was moving to a new website in January because its current one had been “hacked" several times. Due to the move, he said there wasn’t any way the lab could fix the problem right now.
“Look, we are not the doctors, we merely do blood tests for patients. We also have more than 250 franchisees all over Mumbai who do tests for us,” Kustas said. “So maintaining doctor–patient privacy is not something that we as the lab are concerned with.”
Kustas also said that the lab’s website was built by a third-party developer who he described as a personal friend, but refused to provide any more details.
Unlike the United States, where the Health Insurance Portability and Accountability Act (HIPAA) mandates doctor–patient confidentiality, India does not have a strong legal framework around medical privacy or even a privacy law in general.
Doctors who BuzzFeed News spoke to said that each hospital follows its own guidelines around maintaining patient privacy in the absence of an umbrella framework.
The only reference to privacy comes in the Code of Ethics and Regulations published by the Medical Council of India (MCI), a statutory body that enforces medical standards in the country.
It says: “Confidences concerning individual or domestic life entrusted by patients to a physician and defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State.”
BuzzFeed News has reached out to all nine members on the executive committee of the MCI for comment.
A Google spokesperson pointed BuzzFeed News to the search engine’s page for removal policies, and provided the following statement: “Google Search generally reflects what’s on the web, so we ask that if people want content removed from the web, they start by contacting the site hosting the content. After the content is taken down, it will drop out of search engines’ web results.”
“This serves as a reminder that once we digitize anything, there’s a far greater risk of it being inadvertently disclosed,” Hunt said. “It's another case like so many others we've seen where there's large amounts of sensitive data exposed and the owner is totally unaware.”
A few hours after BuzzFeed News published this story, the main folder full of patients' reports is no longer accessible. It appears as though Health Solutions has taken down the directory.