Wed, 26/05/2021 - 08:59

Letter on lack of security for CoVID-19 test results data being published by BBMP

To,
Sri. Rajendra Cholan P, IAS,
Special Commissioner (Health & Information Technology)
Bruhat Bengaluru Mahanagara Palike,
comm@bbmp.gov.in


Dear  Official,

I am writing this letter representing the Free Software Movement of India, we are a coalition of organizations working on Software Freedom, Access and Privacy. I am writing this letter to inform you of the lack of security for BBMP’s Public Health Activities, Surveillance and Tracking (PHAST) software. Everyone’s covid-19 tests data is being published by BBMP’s contractor  Xyramsoft at https://mysamplestatus.xyramsoft.com/#/patient-details. We notice that anyone’s covid-19 data can be accessed by simply querying with their phone numbers. The patient record details including Name, Age, Gender, Patient ID, ICMR Test ID, Lab Name, Test Result (Positive/Negative), Sample collected & received date, Sample type, Hospital name if the patient was hospitalised, Status of symptoms are accessible publicly. It is not hard for any data broker to harness these details by writing an automated script. We are attaching a screenshot to show how anyone’s details can be accessed.


The IT Rules of 2011 clearly states that health record information is ‘sensitive’ data and the collection, storage and disclosure of such data must be bound by "Reasonable security practices & Procedures”. This is a clear violation of IT Rules (2011) and shows an appalling lack of attention to protecting individual’s personal and sensitive data. The lack of proper security practices for sensitive health record data, especially in the midst of the peak of the pandemic can lead to misuse, exploitation and poses a catastrophic risk overall. This is not the first time we are witnessing issues related to personal data breach in the case of  BBMP. Government cannot neglect the responsibility of protecting the sensitive data of its citizens and it must ensure the rule of law. We demand an immediate shutdown of this PHAST site until access management and a security audit is done. We also demand that BBMP take action against the software company Xyramsoft for its carelessness in building software without any security.  

 

With Regards,
Kiran Chandra,
General Secretary,
Free Software Movement of India.