Lucknow's Sanjay Gandhi Postgraduate Institute of Medical Sciences (SGPGIMS) has been uploading the private data of its patients online in a gross violation of their privacy. The information available ranges from the medical procedures they underwent to demographic details such as photographs, signatures, telephone numbers, addresses and ID documents. Reports related to the Bhabha Atomic Research Centre on radiation doses given to individuals are also available.
The lapse was highlighted by ethical hacker Rishi Dwivedi and subsequently verified by HuffPost India. There is no security on the institute's website—you merely need to enter its address in your browser to have full access to the records that have been stored online, without any username or password or other modes of security. And although Dwivedi highlighted this lapse to SGPGIMS on 31 August, the unsecured site remains fully accessible even until this article was published. Dwivedi said that he has not received a response from the medical college.
"When I spoke to the authorities on telephone, I was told that the matter was not urgent as it only amounts to the details pertaining to few hundred patients," said Dwivedi.
Apart from the patients' data, other files include the minutes of the meetings held by various committees of the hospital, also stored as easily accessible PDF files.
The records appear to be present on an older version of the website, and according to Mumbai-based cybersecurity researcher Ritesh Bhatia, the team that designed the website did not keep account for protecting the privacy of patients by securing their data.
"While designing the new website, the team would have retained the old website on its server because of which one can easily access the sensitive health data," Bhatia said. "It was indeed shocking to see extremely sensitive health information of around 200 patients on a web-hosting server. Such sensitive information should be well-protected by strong security measures if it's being stored online."
The Print first reported the breach on 6 September.
Apart from the patients' data, other files include the minutes of the meetings held by various committees of the hospital, also stored as easily accessible PDF files. Several directories containing a huge amount of data, some about the hospital, and a lot more about the patients, are easily available.
Several directories containing a huge amount of data, some about the hospital, and a lot more about the patients, are easily available.
The are all stored in a folder called 'rajesht', and on LinkedIn, HuffPost India found an employee of SGPGIMS named Rajesh Tiwari who is the Nodal Officer, Management Information System (MIS) Cell. Hospital authorities have not responded to HuffPost India's attempts to speak about the issue, but in a report published in The Print, SGPGIMS director prof Rakesh Kapoor claimed ignorance of the matter. However, he said that he will ensure that the gaps in the data security system are plugged soon.
Chandigarh-based human rights lawyer Ranjan Lakhanpal said that the breach was a gross violation of the right to privacy, and that criminal action could be taken against the hospital administration. "You can't display sensitive medical records of chronic patients in public domain. This will indeed harass them further. A criminal case should be registered against the hospital," he said.
'Breach of trust'
Patients whose data was leaked have also demanded criminal action against the hospital authorities. Markandeya Yadav, who lives in Islampur village in Gorakhpur, had undergone a renal transplant in 2017. He told HuffPost India that he would take up the issue on his visit scheduled next week.
Rajeev Gupta, a resident of Juhi Colony in Kanpur, who received a kidney from his wife also expressed shock over the data leak.
"The hospital should have ensured the secrecy of our data by protecting it. There is a need to investigate whether the hospital has done it intentionally to provide an easy access to some buyers or has done it in ignorance," said Gupta.
According to Jalandhar-based cardiologist Dr Charanjit Singh Pruthi, there is high demand for such sensitive data from pharma companies as well as business houses which run corporate hospitals across the country.
"Apart from the data breach, it is also a breach of trust by the concerned doctor and is unethical," Dr Pruthi said. "As doctors, we do not disclose the medical history even to the family members of a patient without his consent. This calls for a criminal case to be lodged against such people."