A new report published by German cybersecurity company, Greenbone Sustainable Resilience, has revealed concerning data leaks within the medical industry. This latest publication, the second of its kind, discloses that over 120 million medical records belonging to Indian patients have been leaked and freely offered on the internet. This follows a previous report in October 2019 that initially noted an alarming number of records being leaked, including CT scans, X-rays, MRIs and even patient photographs.
Data Leak Increase Since First Report
Since the first report was released, the number of data leaks containing patient information had a worrying increase from 627,000 to 1.01 million. In addition, the number of images revealing patient details significantly rose from 105 million to 121 million.
Global Medical Data Security Ranking
The report uses three categories – “good”, “bad”, and “ugly” – to class countries based on their government’s response to the initial report. In this ranking system, India is chillingly placed as the second worst or second in the “ugly” category, just after the United States.
In-Depth Look at India’s Data Leaks
A closer analysis of the leaked data within India showed that Maharashtra had the highest number of medical data leaks, followed by Karnataka and West Bengal. The main reason for these breaches is due to medical records being stored on Picture Archiving and Communications System (PACS) servers, which are easily accessible through the public internet and without adequate security measures.
Concern Over Data Protection
Medical practitioners are ethically and legally required to uphold all patients’ medical record confidentiality. Despite this, the report highlights an apparent moral irresponsibility among some practitioners. One of the significant dangers of these leaks is the potential for fake identities to be created using the leaked medical data – identities that can be misused in countless ways.
India’s Efforts Toward Data Protection
India has made efforts to ensure the security of electronic data through the Information Technology Act, 2000, amended in 2008. Under Section 43A of the IT Act, the Information Technology (Reasonable Security Practices and Sensitive Personal Data) Rules were established, which outline a procedure for corporate entities that collect and possess personal data. The Indian Parliament recently tabled the Personal Data Protection (PDP) Bill, 2019, marking India’s first attempt to create domestic legislation on data protection. This bill categorizes certain personal data as sensitive, including financial and biometric data, health information, and details related to caste, religious, or political beliefs.
