Weak security in a critical BBMP software being used for Covid-19 data may have helped private firms and third-party individuals to access the information of patients and their test reports.
The municipal body’s Public Health Activities, Surveillance and Tracking (Phast) software is used for a variety of activities. But earlier this week, open source groups found that Covid-19 testing data of individuals could be accessed by simply inputting phone numbers.
The discovery prompted a letter on Tuesday, by the Free Software Movement of India, a national coalition of free software movements, to the BBMP, asking for the site to be immediately shut down.
Srinivas Kodali, a member of the coalition, said that the movement had been tipped off about the security lapses of Phast on Tuesday, and said that it represented serious privacy concerns.
“It is a concern because we do not know to what extent the data is being leaked to private companies and other actors,” he said.
In the letter which is addressed to Rajendra Cholan, Special Commissioner (Health and IT), Bruhat Bengaluru Mahanagara Palike, the FSMI writes that: “We notice that anyone’s Covid-19 data can be accessed by simply querying with their phone numbers. The patient record details including name, age, gender, patient ID, ICMR test ID, lab name, test result (positive/negative), Sample collected and received date, sample type, hospital name if the patient was hospitalised, status of symptoms are accessible publicly. It is not hard for any data broker to harness these details by writing an automated script.”
This was verified by DH when it was able to download several Covid-19 testing reports by simply entering phone numbers.
Speaking to DH later on Tuesday, Cholan said that the issue had been brought to the attention of the BBMP. He said he had consequently issued two instructions for changes to the software. “One is that an OTP is mandatory and has to be sent to the phone number entered. Then, the SRF ID will have to be entered,” he said.
He added that the system lacked an additional layer of security because of chaotic testing scenes in April. One flaw was that the system did not ask for patients’ SRF ID codes, which are generally only known to test-takers before providing information.
“The SRF ID was removed because the number of tests in April was high and many private labs were also doing testing. Out of one lakh tests being done daily, about 60,000 were being done by private labs. There was improper collection of addresses and other details. So at that time, patient information was not being uploaded properly. SRF IDs were not being sent out properly. Therefore, at the time, the Phast application used [only] the phone concept,” Cholan said.