Shocking: Labs often hire hackers to leak medical data
Friday's massive data leak forced the Parel-based laboratory, Health Solutions, to deactivate its website and erase all the information from there, but many fear that the damage has already been done
Imagine spending all your life battling a deadly condition like HIV or tuberculosis, living in the constant fear of being ostracised if anybody ever finds out. On Friday, 43,000 patients woke up to this nightmare – their medical reports had been leaked by a hacker. But who is sick enough to do this?
The data leak included patients’ blood reports revealing what ailments they were suffering from
The massive data leak forced the Parel-based laboratory, Health Solutions, to deactivate its website and erase all the information from there, but many fear that the damage has already been done.
Cyber crime and medico-legal experts claim that the hacker’s intention may have been to blackmail patients with their confidential reports. On the other hand, industry insiders also revealed that it is not uncommon for labs to hire hackers to expose and defame their competitors. Either way, it is the patients who will end up paying the price. Not only are the patients’ personal details like their names and addresses out in the open, but anyone with access to the data will also be able to see what the patient is suffering from, right from the common cold to TB to erectile dysfunction.
Set aside the fact that every patient has the right to privacy; it is particularly patients suffering from taboo diseases who have been left most vulnerable by this data leak. Take Sumitra Guha (32, name changed), a HIV-positive patient from Thane, who got the shock of her life when she found out about the leak. “When I first heard, I didn’t believe it. But, when I saw the news, I was shocked. In our society, patients like us carry a stigma. We have to hide our condition, or else society will ostracise us. I have an 8-year-old son who goes to school and if anyone finds out about my illness, my son will also be stigmatised, even though he is HIV-negative,” said Guha.
There are many others who live with different ailments, but similar fears. When 32-year-old Aman Sharma (name changed) developed erectile dysfunction, it took immense courage to start treatment for it two weeks ago. Now, he is terrified that his private condition could be made public if a similar incident were to happen to him. “It’s obviously not very comforting to know that my privacy can be breached; I will become a laughing stock in society. It is necessary to have a regulatory body in place that can intervene and punish the culprit. The hacker is roaming free, while some poor patient with AIDS is devastated.”
Raghu Kumar, came to Mumbai from Uttar Pradesh in search of a better job. But in 2010, he contracted TB while working as daily wage worker. When his colleagues found out, he was fired and had to leave in disgrace. He couldn’t find another job and couldn’t send money home either. He had nearly sunk into depression, but was rescued by the NGO Aastha, which works with TB patients at the Sewri TB hospital. Now he works with the NGO, and helps other patients get back on their feet. Recollecting his humiliation, he said, “It was not my fault that I contracted the infection. The treatment I received from my friends and colleagues still haunts me. Even though TB is curable, society still doesn’t accept those ailing from it. Every day, I meet patients who recount similar stories.”
When asked about the data leak, he said, “At a time when many path labs are providing reports online, they need to be more careful with the information as it can directly affect the life of patients.”
Blackmail or sabotage?
“First we have to understand why a hacker would steal such information. It can be for two reasons — they want to blackmail patients or terrorise them for personal benefit. If a hacker gets access to all the confidential reports of the patients with their names and addresses then he can easily track them and blackmail them,” said Anand Patwardhan, an expert in medical ethics and treasurer, Council For Fair Business Practices.
The US-based server of the Health Solutions website has already been hacked several times, revealed Shubham Singh, an ethical hacker who examined the now defunct website for signs of a breach. But what interest would anyone have in the medical records of absolute strangers? “This particular website was definitely hacked. Some hackers do it for fun, others do it for money. The hacker could have been hired by a competitor, or someone who had a vested interest in defaming patients with AIDS,” suggested Singh.
The possibility of industrial espionage was confirmed by Dr Rajiv Rao, a professor at DY Patil Institute of Medical Sciences, and the owner of Jairaj Diagnostic Centre. “Sometimes, competitors hire hackers to defame a lab. It could also be for some vested interest of a third party,” he explained.
Psychiatrists said patients suffering from such sensitive ailments may turn to suicide if they are exposed. “We often get patients who have sexual disorders and go into depression.
Dr Sagar Mundada
Men feel depressed because they think people will question their manhood and they will be mocked. Similarly, if a female fails to conceive for any health issues, they won’t like to reveal it even to their family members, as people are still narrow-minded about such issues.
The condition is even more severe for patients with HIV and TB. Some of them develop suicidal tendencies when their disease is revealed, as their family members often refuse to support them,” said Dr Sagar Mundada, psychiatrist at KEM Hospital.
Did the lab take enough precautions to prevent such a leak? Perhaps not. “This particular server of the website has been hacked several times before, and it is easily breachable,” said hacker Shubham Singh.
Dr Rajiv Rao (left)and Shubham Singh
Pathologist Dr Rajiv Rao, who runs his own diagnostic centre, Jayaraj Laboratories, explained that many labs choose to store their information on the web, as that is cheaper than maintaining an offline server inside their premises.
“This system should be protected on multiple levels, but not a lot of doctors are aware how. Also, in India, if something is not mandatory, people don’t bother with it. There are no regulations even for starting a lab in India, so how can one expect to have regulations in the software?” he questioned.
Finding the culprit
The website www.hsppl.com now states ‘We are upgrading our website’. But no one knows for how long the data was available before it was erased.
It appears that the hacker is based in India, but operating under the guise of a Chinese server. While the police will no doubt work to find the hacker, what about the lab’s responsibility to protect the confidential information?
Prasad Kulkarni, executive member of Maharashtra Association of Pathologists and Microbiologists, said, “According to the code of conduct of the medical council, whichever pathologist approved the report is to be held responsible for the leak. When a pathologist signs the report, it’s a mark of the doctor saying he is going to maintain confidentiality.”
Pathologists are regulated by the Medical Council of India (MCI), under which it is mandatory for all physicians to protect the confidentiality of patients, including their personal and domestic lives. This confidentiality can only be breached under extraordinary circumstances, such as a fatal risk to someone. Vivek Tilwani, medico-legal expert at a government hospital said, “All pathologists are responsible for ensuring that the patients’ confidentiality is not breached and the reports aren’t easily accessible by outsiders.”
Though private laboratories don’t fall under the umbrella of MCI, they are accountable to the BMC, which issues their licence. If they are found of violating patients’ confidentiality then their licence can be suspended.
Dr Padmaja Keskar, health officer of BMC and project director of Maharashtra State Aids Control Society said, “This is a complete violation of patients’ confidentiality. Laboratories should be more careful while handling such issues. We will look into the matter.” DCP of cyber crime refused to comment.
Sign up for all the latest news, top galleries and trending videos from Mid-day.comSubscribe