A database managed by an Indian government healthcare agency was left connected to the Internet without a password, where it exposed more than 12.5 million medical records for pregnant women, ZDNet has learned.
Records go as far back as five years, to 2014, and include detailed medical information for women who underwent an ultrasound scan, amniocentesis, or other genetic testing of their unborn child.
The database's owner
The database belonged to the Department of Medical, Health and Family Welfare of a state in northern India. ZDNet has refrained from naming the state.
The reason is that the database is still available online without a password. The good news is that the medical records have been removed from the database. However, removing these records wasn't an easy task and it took more than three weeks to have them taken offline.
The database was discovered by Bob Diachenko, a security researcher with cyber-security consulting firm Security Discovery, in early March 2019.
The researcher's initial attempts to secure the server were unsuccessful. Due to the nature of the data, the researcher contacted ZDNet for help, but our efforts to contact the government agency were similarly unfruitful.
The database was eventually secured with the help of the Computer Emergency Response Team (CERT) of India, but the entire process took three weeks, during which time the server and the medical records remained exposed for anyone to download.
The government agency secured the leaky server last Friday, March 29. Because the MongoDB server is still exposed online, revealing other agency operations, ZDNet has decided to refrain from naming the Indian state to prevent further abuse of its systems.
But the leaky database didn't contain just some generic medical records. The exposed medical information is connected to the Pre-Conception and Pre-Natal Diagnostic Techniques Act (PCPNDT), an Indian law passed in 1994 that banned prenatal sex determination in an attempt to prevent Indian families from aborting unborn girls and skewing the gender sex ratio towards males.
According to this law, any medical test that may reveal an unborn child's sex in India must be carried out only for legitimate medical reasons, and all tests must be recorded, along with the reasons for performing them.
The leaky database that Diachenko discovered was holding the digitized versions of medical forms (Form F) going back as far as 2014.
Speaking to ZDNet, Dr. Krishna Shah, a Resident at Sir Gangaram hospital in Delhi, explained the role of Form F and if leaving such information exposed online is considered a serious privacy issue.
"Every pregnant lady on her visit to the gynecologist or radiologist, undergoing USG, amniocentesis or any genetic testing has to fill form F," Dr. Shah told ZDNet.
"Other than the patient details, the form has a declaration by both the parties that the test was done to find out the sex of the baby and an abortion [...] wasn't due to sex discrimination - which is what the Pre-Conception and Pre-Natal Diagnostic Techniques Act aims to achieve."
And just like Dr. Shah told ZDNet, the information stored in the digitized versions of these forms included a wealth of personal and medical recrods, such as the patient's name, the father's name, the patient's address, her age, a telephone contact number, diagnosis and disease information, pregnancy status, pregnancy complications, the procedure the patient has undergone, the center where the USG/amniocentesis/genetic test was performed, the date of the test, test results, person who received the test results, information about referring doctors, and other.
Besides 7.5 million digitized versions of Form F, the database also contained five million digitized versions of other PCPNDT-related forms, such as Form A, Form D, Form E, and Form G, containing similar medical data.
The database also stored data about doctors and medical centers who were in the possession of ultrasound machines and other medical equipment that could have been used to determine an unborn child's sex.
In addition, the server also contained complaints made against doctors and medical centers, and whistle-blowing reports about doctors and medical centers performing sex determination tests. Some examples of these whistleblower reports [sic]:
Dear sir [REDACTED] diagnostic centre [REDACTED] is doing sex determination before delivery from ultrasound daily and taking good money near about 3 to 4 thousand... Pls sir take action...
There is sex selection camps at [REDACTED] and organized by some from Bijnaur.
A Staff Nurse Namely [REDACTED] is Involved In Female Foeticide Case with The help of Dr. [REDACTED]. I have Many complained against her in CMO office & DM office but No action taken by him. She had her abortion on 26/27-10-2014 which is also female Foeticide case, and I have complaint this crime but result is null.
A separate database showed the progress of some of these user reports and contained information about the legal status of some complaints that have gone to court following a government's investigation.
"Though the form forms the backbone of the Pre-Conception and Pre-Natal Diagnostic Techniques Act, it is a point of concern if the personal details of patients are left unprotected on the internet," Dr. Shah added.
Leaving such sensitive information inside a passwordless MongoDB server is akin to breaking doctor-patient confidentiality.
While the database did not contain information about all pregnancies recorded inside the unnamed Indian state, it did contain medical records for women who suffered pregnancy complications and abortions, data that some families would have liked to remain private, due to obvious reasons.