Incident: Government Health Portal Data Breach Exposes Two Million Patients

Published Date: 2019-12-03

Postmortem Analysis
Timeline 1. The software failure incident happened in August 2018 as mentioned in Article 93358.
System 1. Online Registration System (ORS) in the government health portal of India [93358]
Responsible Organization 1. The bug discovered in the government health portal was responsible for causing the software failure incident, leading to the leakage of millions of patients' health information [93358].
Impacted Organization 1. Nearly two million Indian patients had their personal details and health information exposed due to the bug in the government health portal [93358].
Software Causes 1. A bug in the government health portal's Online Registration System (ORS) left data of nearly two million Indian patients unguarded, allowing unauthorized access to personal details and health information [Article 93358].
Non-software Causes 1. Lack of appreciation and recognition for ethical hackers by the Indian government despite their efforts to enhance data security [93358]. 2. Legal risks and fear of retribution faced by ethical hackers when disclosing vulnerabilities, especially when related to government agencies [93358].
Impacts 1. The bug discovered in the government health portal in India led to the exposure of personal details and health information of nearly two million users, including full names, addresses, ages, mobile numbers, patient IDs, Aadhaar numbers, and details of diseases (Article 93358). 2. The vulnerability risked the leakage of millions of patients' health information, potentially allowing attackers to access and cancel appointments at specific hospitals (Article 93358). 3. Stolen medical patient records are highly valuable on the dark web, being sold at 10 times the value of credit card information, leading to potential misuse such as false insurance claims, prescription of restricted drugs, and selling patient profiles (Article 93358).
Preventions 1. Regular security audits and penetration testing of the government health portal could have potentially identified and fixed the vulnerability before it was exploited [93358]. 2. Encouraging ethical hacking and bug bounty programs could have incentivized security researchers to responsibly disclose critical bugs, leading to quicker identification and resolution of vulnerabilities [93358]. 3. Implementing a protocol for vulnerability reporting and establishing a clear framework for handling such reports could have facilitated a smoother process for addressing and fixing vulnerabilities in digital assets [93358].
Fixes 1. Encouraging ethical hacking in India to identify and report vulnerabilities in government systems [93358] 2. Acknowledging and appreciating the efforts of security researchers and ethical hackers who responsibly disclose critical bugs [93358] 3. Establishing a "hall of fame" list online to recognize researchers who have disclosed flaws in government digital assets [93358] 4. Implementing legal protections for security researchers who responsibly disclose bugs to prevent retribution from authorities [93358] 5. Developing a progressive bug bounty program to incentivize researchers to report vulnerabilities and improve system security [93358]
References 1. Security researcher Avinash Jain [Article 93358] 2. Indian Computer Emergency Response Team (CERT-In) [Article 93358] 3. Rajesh Maurya, a cyber security analyst [Article 93358] 4. Apar Gupta of Internet Freedom Foundation [Article 93358] 5. Srinivas Kodali, a security researcher [Article 93358]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to the vulnerability in the government health portal in India, where a bug left data of nearly two million Indian patients unguarded, happened at the state-run health portal in India. The vulnerability was discovered in the Online Registration System (ORS) of the government health portal [93358]. (b) The incident of a software vulnerability leading to the exposure of sensitive patient information is not explicitly mentioned to have occurred at multiple organizations in the articles provided. Therefore, there is no information available about similar incidents happening at other organizations or with their products and services.
Phase (Design/Operation) design (a) The software failure incident related to the design phase: The incident of the bug discovered in the government health portal in India, which left data of nearly two million Indian patients unguarded, was a result of a design flaw in the Online Registration System (ORS) of the health portal. The vulnerability allowed unauthorized access to personal details and health information of users who had booked appointments at government hospitals. This flaw was introduced during the development phase of the system [93358]. (b) The software failure incident related to the operation phase: The failure due to contributing factors introduced by the operation or misuse of the system was not explicitly mentioned in the provided article.
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident reported in the articles was due to a bug discovered in a government health portal in India, specifically in the Online Registration System (ORS) [93358]. The bug allowed unauthorized access to personal details and health information of nearly two million users who had booked appointments at government hospitals. This vulnerability originated from within the system itself, highlighting a flaw in the design or implementation of the health portal software. (b) outside_system: The incident also sheds light on the importance of ethical hacking in India and the challenges faced by security researchers who responsibly disclose critical bugs. While the vulnerability was within the system, the response to such incidents, the legal risks associated with disclosing vulnerabilities, and the lack of protection for security researchers are factors originating from outside the system, such as government policies, legal frameworks, and societal attitudes towards cybersecurity [93358].
Nature (Human/Non-human) non-human_actions (a) The software failure incident occurring due to non-human actions: The software failure incident in the Indian government health portal was due to a bug discovered by security researcher Avinash Jain in the Online Registration System (ORS) in August 2018. This bug left the data of nearly two million Indian patients unguarded, risking the leakage of their health information. The vulnerability allowed unauthorized access to patient details such as full name, address, age, mobile number, patient ID, Aadhaar number, and details of diseases ailing an individual. The bug was a result of a vulnerability in the system, not introduced by human actions [93358]. (b) The software failure incident occurring due to human actions: The article does not provide specific information about the software failure incident being directly caused by human actions. However, it does mention the importance of ethical hacking and responsible disclosure of vulnerabilities by security researchers to prevent cyber-attacks and access flaws in digital infrastructure. It highlights the challenges faced by ethical hackers in India, including legal risks and lack of acknowledgment for their efforts in disclosing critical bugs [93358].
Dimension (Hardware/Software) software (a) The articles do not mention any software failure incident occurring due to contributing factors originating in hardware [93358]. (b) The software failure incident mentioned in the articles occurred due to a bug discovered in a government health portal, leading to the leakage of millions of patients' health information. The vulnerability in the Online Registration System (ORS) allowed unauthorized access to personal details and health information of nearly two million users. This incident was a result of a software bug in the government portal [93358].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident described in the article is non-malicious. The vulnerability in the government health portal was due to a bug discovered by a security researcher, Avinash Jain, in the Online Registration System (ORS) in August 2018. This bug left the data of nearly two million Indian patients unguarded, allowing unauthorized access to personal details and health information. Mr. Jain responsibly reported the vulnerability to the Indian Computer Emergency Response Team (CERT-In), and the flaw in the government portal was patched in October last year [93358]. (b) The incident was not a result of malicious intent but rather a consequence of a software bug that exposed sensitive patient information. The security researcher highlighted the need for ethical hacking in India to identify and address such vulnerabilities in digital infrastructure to prevent potential cyber-attacks on portals hosting sensitive user information [93358].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident reported in Article 93358 was primarily due to poor decisions. The vulnerability in the government health portal that risked the leakage of millions of patients' health information was a result of a bug discovered in the Online Registration System (ORS). This bug left data of nearly two million Indian patients unguarded, allowing unauthorized access to personal details and health information. The incident highlighted the need to encourage ethical hacking in India, indicating that the failure was a result of poor decisions in the development and maintenance of the portal [93358]. (b) Additionally, the incident also involved accidental decisions or unintended consequences. The security researcher, Avinash Jain, accidentally discovered the vulnerability in the health portal while exploring the system. His intention was not to exploit the bug but to responsibly disclose it to the authorities for fixing. This accidental discovery led to the identification and patching of the flaw, showcasing the unintended consequences of system vulnerabilities that could have been exploited by malicious actors [93358].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the bug discovered in a government health portal in India. The vulnerability risked the leakage of millions of patients' health information due to a bug in the Online Registration System (ORS) that left data of nearly two million Indian patients unguarded. The bug allowed unauthorized access to personal details, health information, appointment history, patient ID, Aadhaar number, and disease details of users who had booked appointments at government hospitals [Article 93358]. (b) The software failure incident related to accidental factors is highlighted by the inadvertent exposure of patient data due to the bug in the government health portal. The bug was discovered by a security researcher, Avinash Jain, who responsibly disclosed the critical vulnerability to the Indian Computer Emergency Response Team (CERT-In) for remediation. The accidental exposure of sensitive patient information due to the bug underscores the importance of ethical hacking and responsible disclosure practices to prevent unauthorized access and data breaches [Article 93358].
Duration temporary (a) The software failure incident related to the vulnerability in the government health portal in India was temporary. The bug in the Online Registration System (ORS) was discovered by security researcher Avinash Jain in August 2018 and was patched in October of the same year after being reported to CERT-In [Article 93358].
Behaviour crash (a) crash: The software failure incident described in the article can be categorized as a crash. The vulnerability in the government health portal led to a situation where personal details and health information of nearly two million users could have leaked due to a bug in the Online Registration System (ORS) [Article 93358]. This bug could have allowed any attacker to access details of patients who had booked an appointment in any of the 237 registered government hospitals, indicating a failure in the system's ability to maintain its state and perform its intended functions properly, leading to a potential crash.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) death: People lost their lives due to the software failure - No information about people losing their lives due to the software failure was mentioned in the articles. (b) harm: People were physically harmed due to the software failure - No information about people being physically harmed due to the software failure was mentioned in the articles. (c) basic: People's access to food or shelter was impacted because of the software failure - No information about people's access to food or shelter being impacted due to the software failure was mentioned in the articles. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident led to the exposure of personal details and health information of nearly two million Indian patients, including full names, addresses, mobile numbers, patient IDs, and details of diseases. This could potentially impact the privacy and security of the individuals' data [93358]. (e) delay: People had to postpone an activity due to the software failure - No information about people having to postpone an activity due to the software failure was mentioned in the articles. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident exposed vulnerabilities in a government health portal, risking the leakage of millions of patients' health information [93358]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had real observed consequences, such as the exposure of personal details and health information of nearly two million Indian patients [93358]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential consequences discussed included the risk of stolen medical patient records being sold on the dark web for various malicious purposes, such as submitting false insurance claims or selling patient profiles [93358]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles did not mention any other specific consequences of the software failure beyond the exposure of sensitive patient information and the potential risks associated with such data breaches.
Domain health, government (a) The failed system was related to the healthcare industry. The bug discovered in the government health portal in India exposed the personal details and health information of nearly two million users, highlighting the vulnerability of patient data in the healthcare sector [Article 93358].

Sources

Back to List