In February 2020, a major data breach was reported from Breach Candy hospital, Mumbai. At that time, Naavi.org called it an “I Love You Moment” recalling the incident in 2000 when the “I Love You” virus hit the Internet and woke up the Indian regulators into taking steps in passing the Information Technology Act 2000 (ITA 2000) which was otherwise kept in cold storage in a Standing Committee.
In the Breach Candy incident, over 121 million medical records of Indian patients had been exposed due to lack of secured storage. The data which included X-rays, Scans, patient history, National ID, date of birth etc had been stored in the cloud and was accessible through the internet without a password. The data was stored in what is referred to as the DICOM protocol to be accessible to registered medical practitioners attending the patient and the patient with appropriate user name and passwords but was negligently made available openly.
This entire data set would be now in the Dark Web and could be exploited by criminals.
The incident was called a “I Love You” moment because it was felt that it would ensure the passage of Personal Data Protection Act in India which was pending with the JPC. Unfortunately the Covid intervened and the JPC activity was delayed. The JPC has till now not completed its study and the presentation of the Bill back in the Parliament has been postponed again and again. Now it has been pushed beyond 2020 and may be presented only in January 2021.
When the Breach Candy data breach occurred, it was a failure of “Reasonable Security Practice” under Section 43A of the ITA 2000 and it was possible for any affected party to file a complaint on the hospital for compensation. There could have been a PIL also. But no victim came forward.
However, it would have been possible for the regulatory mechanism to take some proactive steps to recognize the incident as a representative incident that required attention in the interest of preventing such incidents in future. The Adjudicator of Maharashtra could have taken suo-moto action under Section 46 of ITA 2000. The CERT-In could have conducted an enquiry and suggested some remedies. Even a High Court could have taken a suo moto action and initiated an enquiry.
However none of these regulatory bodies thought it fit to move in and take some action which would have brought better discipline in to the system. All of them collectively exhibited apathy and ignorance which is the bane of our country. Probably none of them wanted to do anything that could put the well known hospital into disrepute.
Now another major data breach has hit us in the form of Dr Lal Pathlabs. The Personal Data Protection Bill is still a Bill and again we need o fall back on the ITA 2000. At least now we need to see if CERT IN conducts an enquiry and some Adjudicator takes a suo moto enquiry on behalf of the affected patients or some PIL gets filed in a High Court.
According to the information available, Dr Lal PathLabs headquartered in New Delhi serves 70000 patients a day and stores the medical diagnostic results on the Amazon Web services.
It is alleged that the data was stored without a password protection .
It is impossible to think how any IT operator handling the data was unaware of the need to encrypt the data in cloud storage. Having a password is like LKG lesson we teach our students and if any data is stored without a password or in passwords such as admin123, then it is not possible to recognize that person as “IT Literate”.
If the Company had engaged such IT operators then the company which describes itself as “An international Service provider of diagnostic and related health tests”, then the management of the company including the board of directors should question themselves if they had any moral right to be in a critical business like health care.
It is immaterial
if the IT team of the company, the CEO or the Directors were aware of Information Security or Data Security, or not
whether they were aware of HIPAA standards or Section 43A -ITA 2000 or not,
whether they were aware of The Personal Data Protection Bill 2019,
Whether there was a DPO in the company or not or whether he was a certified data professional or not.
But if they did not have the basic “Password control” for the Amazon cloud storage, then they need to re assess their managerial credentials.
Amazon provides services for data storage even under HIPAA standards and it is difficult to see how they would have enabled access without a password and that too without some combination stronger than something like admin123. Perhaps the information that the database was not protected with password is not correct. The possibility is that some default password was used or the lab must have a system where the password was broadcast to all their units so that anybody could use the database.
Whatever is the reason for the data breach, it is sad to note that a large company like Dr Lal Pathlabs could have such a callous approach to data security.
What is lost is lost. Whether we fine the company Rs 5 crores or 100 crores is immaterial. What is now required is for us and the regulators to reflect, how long we will keep on postponing the passage of Personal Data Protection Act and how long CERT-In and the Adjudicators under ITA 2000 remain mere show pieces in the system of data protection in India.
Though the JPC on Personal Data Protection Bill has taken time upto the budget session to submit its report, it is time for the members of the JPC and the Chair person to re-think and try to submit their report at least in the December session of the Parliament.
The Company has implemented appropriate security practices and standards and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Further, the Company takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data and restricts access to your personal data to the Company’s employees who need to have that information in order to fulfil your request or supply our services
The problem is what is “Appropriate” in the context which needs to be debated.