Medical data is among the most sensitive information that organizations can collect, store, or share. It is never a good idea to store medical data in plain text or leave it publicly accessible. The nightmare of any patient to give your most intimate medical details to your Doctor or medical professional and then hope it is never leaked online. Although this massive data breach affects millions of pregnant women in India, it could happen anywhere and reminds us once again how important data privacy is.
Now that the database is secured, I can disclose the details of another misconfigured MongoDB incident which I first identified on March 7th during a regular security audit of the BinaryEdge search engine stream.
The India-based IP contained a publicly accessible dataset of what appeared to be patients records, doctors details, children details, admin passwords, and logins – all collected as part of the Indian Pre-Conception and Pre-Natal Diagnostic Techniques (PCPNDT) Act, which is a low the Parliament of India enacted to stop female feticide (destruction or abortion of a fetus) and help slow the declining sex ratio in India. The act banned prenatal sex determination in 1994 and the act aims to prevent sex-selective abortion.
The database records included different forms which pregnant women are required to complete and has questions ranging from the mother’s age to family history of genetic ailments, details of the pregnancy and other sensitive information.
The database contained 7,449,714 “forms F”, plus other forms detailing all the aspects of a medical inspection.
Additionally, anonymous complaints, court cases details, doctors details, children details (sex, age, status) were left completely exposed and open for public access – totaling to more than 12,5 Million of records.
The most disturbing part of this data leak was that I can confirm it was accessible for almost a month after my initial discovery and when it was finally secured.
I immediately sent a notification to (CERT) The Indian Computer Emergency Response Team that is an office within the Ministry of Electronics and Information Technology. It is the agency to deal with cyber security threats and they have helped me in the past with proper disclosure of sensitive Indian data leaks. I also requested to pull down the database, however, it took them almost a month to remove the private content off the database.
You can read more on this discovery in Catalin Cimpanu‘s story here on ZDnet.