A misconfigured MongoDB database, managed by the Indian government healthcare agency, was left online without a password exposing more than 12.5 million medical records of pregnant women. The incident came into light after the security researcher Bob Diachenko identified and reported the data breach to the Indian Computer Emergency Response Team (CERT), which immediately took the server down. The Ministry of Electronics and Information Technology clarified that they secured the leaky server on March 29, 2019.
Diachenko stated that he first identified the leaky database on March 7, 2019, which belong to the Department of Medical, Health, and Family Welfare of a state in India, that contained sensitive medical information, including the test reports of the women who were pregnant women who underwent an ultrasound scan, amniocentesis, and other genetic testing of their unborn child in 2014.
The unprotected database contained 7,449,714 forms F and other forms detailing all the aspects of a medical inspection, including anonymous complaints, court cases details, doctors’ details, children details (sex, age, status) were left open for almost a month, according to Diachenko.
“Medical data is among the most sensitive information that organizations can collect, store, or share. It is never a good idea to store medical data in plain text or leave it publicly accessible. The nightmare of any patient to give your most intimate medical details to your Doctor or medical professional and then hope it is never leaked online. Although this massive data breach affects millions of pregnant women in India, it could happen anywhere and reminds us once again how important data privacy is,” Diachenko said in a blog post.
In a similar incident, an unsecured Elasticsearch database exposed the real-time location data for over 11,000 Indian buses online over three weeks. ElasticSearch, an enterprise search engine, provides technology solutions for powering search functions. According to Justin Paine, the security researcher who discovered the breach, the unprotected server was left visible online without a password exposing real-time GPS and bus route information from 27 Indian transportation agencies via an ElasticSearch server.
The server exposed the data of 26 road transport agencies, including Kochi Metro Rail Limited. The exposed information included the details like bus license plates, start-stop stations, route names, GPS coordinates, and details of commuters like usernames and emails.