BENGALURU: A disturbing trend of salespersons from sanitiser companies calling up Covid-19 patients soon after the test results return positive has raised huge concerns over violation of privacy and leak of medical data from the state’s Covid-19 war room itself. A Bengaluru-based programmer, who discovered this, has highlighted to the authorities how private medical data of patients is easily accessible to the public, who can misuse it.
Rekha Rao (name changed on request), a resident of Koramangala, tested positive for Covid-19. But soon after, that she received a call from a company offering Covid-19 sanitisation services at her home. At first, she assumed it was a Bruhat Bengaluru Mahanagara Palike (BBMP) protocol, but then discovered it was a private company. Rekha asked them how they got her number, to which they had no answer.
Volunteers working with BBMP to extend support to Covid-19 patients in home isolation, too, have received complaints from citizens about sales pitches for sanitisation, in the form of SMS and calls as soon as they test positive.
The answer as to how salespersons got patients’s contacts (and data) was revealed on November 10, when a Bengaluru programmer, Shashi Kumar Sah, exposed the vulnerability of the Covid-19 war room website on Twitter.It all started when Sah got tested by BBMP on October 24, after a Covid-19 positive case was reported in his apartment complex on Bannerghatta Road. He waited for five days but got no results. He used his 13-digit SRF ID on the Covid-19 war room website, only to receive a response saying “Check SRF ID entered. If it’s correct then result awaited”.
He then replaced the last digit of his ID with the subsequent number and checked the result and found the name, testing centre and Covid-19 status of that person. It turned out that the SRF ID numbers are not randomised but in a series. This was just one problem. “I decided to check what’s happening in the background. I found that the Application Programme Interface (API) was public and it gives out all personal details that were not shown on the website, such as contact number, age, gender,” Sah pointed out. In this case, the API essentially takes the input (SRF ID), processes the information, fetches the result from the database and displays it on the website.
“There is no limit to what you can do with this. You can just write a simple python script and run a loop over SRF IDs, get the response of different IDs and then access the entire database of people, testing positive or negative. When I tried it, it took me less than five minutes,” he said. He tried to inform the BBMP Commissioner about this breach of privacy, through a Twitter post, but as he did not get a response, he went public on social media.
“Any scammer can get data and commit fraud with this information. It is possible that one of the ways in which Covid-19 patients’ contacts are getting leaked to sanitisation sales persons is through such a loop hole. This is just one of the many ways to hack the system,” he told The New Indian Express.
Once authorities heard of this, they disabled the API, but test results of people can still be viewed by others, making data privacy a cause of concern.
Sah questioned how anyone can view another person's COVID test result without their consent and why an authentication cannot be done through introduction of a One Time Password (OTP).
" We give our mobile numbers while giving the test sample. The person can enter the SRF ID, get an OTP on their mobile, enter it and then view their result. This way, it won't be hackable. Why was it necessary to expose the contact details to patients? Why can’t they put authentification in these APIs? Why don't they hire better coders," he said.
Responding to TNIE's queries on if this vulnerability on the website, was one of the ways in which COVID patients' numbers were getting leaked to private companies, Munish Moudgil, incharge of the state war room said that data of patients is available with nearly 4000 government staff in Bengaluru for contact tracing, isolation and other such purposes.
"The leak may not have happened from our software but manually. When the patient details are available with 1000s of staff, such leaks are a possibility. The suggestion of using an OTP system has come to us. We are considering it. However, it can lead to problems such as delay in delivery of the OTP, problems when a person gives another person's mobile number during testing, etc," Moudgil said.
He confirmed that the issues brought to light on the Twitter thread by Kumar were addressed.