April 22, 2021 Parakh Sinha
A loophole in PHC (Public Health Centre) COVID testing machinery breaches the privacy of Bangalore citizens.
The auto-generated message you receive on your registered mobile number after gettingtested for COVID 19 in a PHC (Public Health Centre) in Bangalore provides you with two 13 digit SRF (Specimen Referral Form) Ids, one that belongs to you and the other belonging to a random individual. This SRF ID can be used to login into the state COVID war room website and access the COVID test result and other confidential information, like the name and health status of another person in Bangalore.
This auto-generated message is being sent by VD-MyGov, which comes under the MyGov portal of the National Informatics Centre (NIC).
Caption (On the left is the format that is used by the Karnataka Government having a single SRF ID, the image on the right is the message generated by NIC(National Informatics Center) having 2 SRF IDs)
“The RT-PCR ID being sent in these messages is by the Government of India, which is generated through the central government app. If tested in a government hospital, the message then generated by the Karnataka Government contains just one SRF ID and a BU (Bengaluru urban) number, but the other ID in the VD-MyGov messages is not used by the Government of Karnataka to interact with citizens,” said an ex-employee of the Bengaluru COVID war room.
Pushpa, a citizen of Bengaluru recently got tested in a PHC in the city and received a similar message, “I don’t understand why the government would do this. I want to have the choice of sharing my personal information with anyone, I do not wish for a random person to know my test results. They should rectify this issue as soon as possible.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules 2011 define ‘sensitive personal data’ as personal information relating to passwords, medical records and history, physical and mental health
“The Karnataka Government is the only state in the country that has an online portal to access COVID test results.” said the ex COVID war room employee.
The war room has come under fire before with regards to breach of privacy when they were providing phone numbers of individuals on the COVID test result website. A mistake that was rectified after it was brought to notice by media outlets.
Privacy has been kept on a backburner in this time of the pandemic. Several states have tried to become more efficient in their handling of the spread of the virus, by contact tracing using confidential information of citizens. An attempt was made by the Karnataka government, publishing the addresses of the people who were testing positive for COVID-19.
“Section 72 of The Information Technology Act, 2000 states that the breach of confidential and private information of a citizen can be a criminal offence, if there is a policy in place in the said department then it is an offence even for the government to publish such details,” said Mr Mukesh Chaudhary a cyber security expert.
Section 72A of the IT Act states that “… if any person …, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”
Section 72 exclusively addresses personal information accessed by a government official.