A database managed by an Indian government healthcare agency was left connected to the Internet without a password, where it exposed more than 12.5 million medical records for pregnant women, ZDNet has learned.
Records go as far back as five years, to 2014, and include detailed medical information for women who underwent an ultrasound scan, amniocentesis, or other genetic testing of their unborn child.
The database belonged to the Department of Medical, Health and Family Welfare of a state in northern India. ZDNet has refrained from naming the state.
The reason is that the database is still available online without a password. The good news is that the medical records have been removed from the database. However, removing these records wasn't an easy task and it took more than three weeks to have them taken offline.
The database was discovered by Bob Diachenko, a security researcher with cyber-security consulting firm Security Discovery, in early March 2019.
The researcher's initial attempts to secure the server were unsuccessful. Due to the nature of the data, the researcher contacted ZDNet for help, but their efforts to contact the government agency were similarly unfruitful.
The database was eventually secured with the help of the Computer Emergency Response Team (CERT) of India, but the entire process took three weeks, during which time the server and the medical records remained exposed for anyone to download.
The government agency secured the leaky server last Friday, March 29. Because the MongoDB server is still exposed online, revealing other agency operations, ZDNet has decided to refrain from naming the Indian state to prevent further abuse of its systems.
But the leaky database didn't contain just some generic medical records. The exposed medical information is connected to the Pre-Conception and Pre-Natal Diagnostic Techniques Act (PCPNDT), an Indian law passed in 1994 that banned prenatal sex determination in an attempt to prevent Indian families from aborting unborn girls and skewing the gender sex ratio towards males.
According to this law, any medical test that may reveal an unborn child's sex in India must be carried out only for legitimate medical reasons, and all tests must be recorded, along with the reasons for performing them.
The leaky database that Diachenko discovered was holding the digitized versions of medical forms going back as far as 2014.
Dr. Krishna Shah, a Resident at Sir Gangaram hospital in Delhi, explained the role of Form F and if leaving such information exposed online is considered a serious privacy issue.
"Every pregnant lady on her visit to the gynecologist or radiologist, undergoing USG, amniocentesis or any genetic testing has to fill form F," Dr. Shah told ZDNet.