Medical Data Leaks | 05 Feb 2020

Why in News

A German cybersecurity firm, Greenbone Sustainable Resilience has published its second report related to medical data leaks.

  • According to the report, medical details of over 120 million Indian patients have been leaked and made freely available on the internet.
  • The first report was published in October 2019, which had observed a widespread data leak of a massive number of records, including images of CT scans, X-rays, MRIs and even pictures of the patients.
    • After the first report was published, the number of medical data leaks bearing the patients’ information increased from 6,27,000 to 1.01 million and that of the images of patients’ details rose from 105 million to 121 million.

Key Findings of India

  • Categorisation of Countries
    • The report classified countries in the “good”, “bad” and “ugly” categories based on the action taken by their governments after the first report was made public.
    • India ranks second in the “ugly” category, after the U.S.
  • State-wise Analysis
    • Maharashtra reported the maximum medical data leaks followed by Karnataka, and West Bengal.
  • Reasons
    • Generally, medical details are stored on Picture Archiving and Communications System (PACS) servers which are linked to the public internet without any protection. Thus, the lack of security makes them easily accessible to malicious elements.
      • PACS is a medical imaging technology which provides economical storage and convenient access to images from multiple modalities.
  • Concerns
    • Doctors or hospitals are ethically, legally and morally bound to maintain the confidentiality of medical records. The report indicates the moral irresponsibility on the part of medical practitioners.
    • There are possibilities of fake identities being created using the leaked medical details. The fake identities can be misused in any possible ways.

Data Protection in India

  • The Information Technology Act, 2000 amended in 2008 contains provisions for the protection of electronic data.
  • The Information Technology (Reasonable Security Practices and Sensitive Personal Data) Rules were framed under Section 43A of IT Act which sets out a procedure for corporate entities which collects, possess and collects personal data.
  • According to the Supreme Court in the Puttaswamy judgement (2017), the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.
  • Recently, the Indian Parliament tabled the Personal Data Protection (PDP) Bill, 2019 which would be India’s first attempt to domestically legislate on the issue of data protection. The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, health data, caste, religious or political beliefs.

Source: TH