India health data faces rising risk of breaches, cyberattacks

• Leak of vaccination data of millions of Indians concerning, say digital experts
• Push to digitise health data without safety measures "reckless"
• Authorities say data is secure, plan to introduce data protection law

Last year, responding to reports of breaches of data from India's CoWIN vaccine portal, the head of the National Health Authority, RS Sharma, said that it had "state-of-the-art security infrastructure and has never faced a security breach."

Last month, Sharma's own personal data was exposed in a massive leak of CoWIN data via the Telegram app. Officials first denied a breach had taken place, then days later, Delhi police said they had arrested two individuals in relation to the leak.

The data leak - including names, Aadhaar national IDs, mobile numbers, voter IDs, passports and COVID vaccination status of millions of individuals - was one of the largest in India, and came on the heels of other breaches of CoWIN and Aadhaar data, and the records of a leading hospital in Delhi.

The recent breaches of health data are particularly concerning, digital experts said, as they leave individuals vulnerable to scams, harassment and discrimination without remedy in the absence of a data protection law in the country.

They warned it also undermines India's aim to develop and export to Asian and African countries its digital public infrastructure model comprising Aadhaar, mobile payment system UPI and the National Health Stack data platform, that authorities say will improve access and efficiency.

But in pushing its digital public infrastructure "India is putting people at risk from data collection and data overreach," said Raman Jit Singh Chima, Asia policy director at digital rights group Access Now. "It's a bad model."

"The push for greater digitisation of health data is happening without discussion or adequate data protection. India is seeing an increase in cyberattacks, and the refusal to acknowledge breaches and to hold institutions accountable is a reckless approach," he said.

The ministry of electronics and information technology did not respond to a request for comment.

The health ministry, in a June 12 statement, said that the CoWIN portal "is completely safe with adequate safeguards for data privacy. All steps have been taken and are being taken to ensure security of the data."

The federal Computer Emergency Response Team was investigating the incident, it added. No details have since been released.

Junior IT minister Rajeev Chandrasekhar said at the time that the leaked CoWIN data was accessed by a bot "from a threat actor database, which seems to have been populated with previously breached/stolen data."

"It does not appear that CoWIN app or database has been directly breached," he said on Twitter.

Highly sensitive

Under the ambitious Digital India programme, there is increasing digitisation of data and services in the country.

The national digital health mission that aims to link individual health records to a unique ID similar to the Aadhaar ID, has raised concerns about data security and the potential for misuse.

In the rush to build out the digital public infrastructure, "the very suitability of these technologies has gone unchallenged," said Aarushi Gupta at Digital Futures Lab, a research collective.

"Given the vast amounts of data collection, processing, and exchange ... citizens are at considerable risk of their data being leaked and their privacy rights being compromised, as seen with the recent leak," she added.

India was the biggest target for cyberattacks after the United States in 2021 and 2022, with nearly 500 attacks last year, an increase of nearly a fourth, according to cybersecurity firm CloudSEK.

A separate study by NordVPN, a virtual private network service provider, last year showed India was the worst hit by data breaches, with some 600,000 people having had their data stolen and sold on bot markets by hackers.

Last year, India took aim at VPNs that provide users with anonymity online, with new legislation that it said would improve cybersecurity, including requiring firms to report data breaches within six hours of noticing them.

But India's national cybersecurity policy hasn't been updated since 2013, leaving the country's expanding digital infrastructure vulnerable to new threats, said Prateek Waghre, policy director at Internet Freedom Foundation, a non-profit.

It is also not clear if a long-delayed data protection bill that is expected to be passed soon, will protect sensitive health data, he told Context.

"There is a question of how effective the bill will be, and whether government agencies will be exempt from accountability in case of a breach," Waghre added.

"The more data there is, the more it can be abused. If you can access the entire medical history of individuals, imagine how valuable that is for the private sector; how will it be protected from misuse?"

Major target

Healthcare institutions worldwide are increasingly victims of hacks and cyberattacks, with vaccination records and the personal information of patients and healthcare workers most frequently targeted, according to a study by CloudSEK.

In November, the All India Institute of Medical Sciences (AIIMS), a federal government hospital that caters to ministers, politicians and the general public, was hit by a cyberattack that shut down its servers and disrupted patient care for weeks.

The attack, which officials said had come from a foreign country, is reported to have compromised the records of up to 40 million patients.

Earlier, the data of millions of pregnant women was exposed online by a government agency, local media reported.

"Any data leak is harmful, and there are no protocols for confidentiality of sensitive data such as pregnancy, HIV treatment or vaccinations," said Amulya Nidhi, founder of Jan Swasthya Abhiyan, or People's Health Movement, a non-profit.

"With leaks of such sensitive data, people can be badly affected. Our entire social framework can be affected."

(Reporting by Rina Chandran in Bangkok. Editing by Zoe Tabary)