A government-run health portal that was launched in 2014 risked data of around 2 million people registered on the site, according to cyber security researcher Avinash Jain, who shared the details exclusively with ET.
The security flaw in the Online Registration System (ORS) website allowed access to patient details, including full names, addresses, age, mobile numbers, appointments, UHID, partial Aadhaar numbers, and disease details.
Jain said the bug was fixed in October last year, three weeks after alerting the Indian Computer Emergency Response Team (CERT-In) — the country’s nodal cyber security agency. This has not been reported previously.
“The vulnerability could have allowed every single patient record to be accessed,” Jain said.
According to data from the ORS website, 237 hospitals were registered on it as of November 18 and around 3.1 million appointments were made through the portal. At the time the vulnerability was found and reported, the number was around 2 million, he said.
He has also been working on leaks through hospital security infrastructure for the last one year.
Jain said this incident as a “wake up call” for the government to improve and strengthen its commitment towards responsible data practices.
It was also aimed at highlighting the below par security standards in the IT industry and to spread awareness among companies and government to take information security as importantly as any other branch, he added.
ORS, launched under the Digital India initiative, links various hospitals across the country for patients to register and seek appointments online.
The portal also allows online appointments with various hospital departments using electronic Know Your Customer details.
According to bug bounty platform HackerOne, Indian bug bounty hunters took home $2.3 million between May 2018 and April 2019, second only to those in the United States.
Bug bounty hunters or White Hat hackers are often rewarded for detecting and reporting vulnerabilities in software programs.