It is disgraceful that there are so many huge data leaks involving sensitive personal data, and yet here we are again. Cybernews reports:
Health Genie, a healthcare IT solutions provider, left an open instance, exposing patients’ personal details as well as sensitive clinical data.
The India-based healthcare solutions provider left an open Amazon S3 bucket, exposing over 36 gigabytes of data, or nearly 450,000 documents, the Cybernews research team discovered.
Health Genie provides numerous health care services, such as finding doctors, booking appointments, electronic health record (EHR) systems, reporting and analytics, financial monitoring, and other services. The Health Genie app has over 100,000 downloads on the Google Play store.
According to the team, the exposed instance contained a trove of personal identifiable information (PII) and identifiable health records. The exposed bucket exposed: Patient bills, Clinical notes, Lab reports, Appointment details (photos, screenings, etc.), Names, Dates of birth, Phone numbers, Addresses, Medical contract numbers, Medical histories, Payment details.
And what will likely surprise no one, the dataset was reportedly exposed for several months after researchers discovered the leak and notified the company of the leak.
Read more on Cybernews.
For how long was the data exposed before Cybernews discovered it?
How many people may have accessed and downloaded the data?
Is Health Genie considered a processor/agent or is it a controller/owner under India’s Digital Personal Data Protection (DPDP) Act that went into effect in 2023 — or it is neither? What are their legal obligations in this type of situation? Any experts on Indian data protection law care to explain how the DPDP will apply in this situation?
DataBreaches emailed Health Genie seeking additional details about the duration of the leak, access to exposed files, and whether Health Genie will be notifying individuals. No reply was immediately available, but this post will be updated when a reply is received.