Exclusive: Govt.’s flagship ‘Ayushman Bharat’ is leaking personal data of 7 lakh+ citizens
My Lawrd has learnt that India’s flagship health scheme ‘Ayushman Bharat’ is actively leaking personal data of 7 lakh+ citizens of India. Ayushman Bharat envisages a segmented approach of health service delivery to a comprehensive need-based health care service and the government has been actively collecting personal data of crores of citizens under this scheme. Launched in September 2018, a key component of the scheme is the Pradhan Mantri Jan Arogya Yojna (PM-JAY). It was launched by Prime Minister Narendra Modi himself.
Note: Since the data is still publicly available, and the authorities who are aware of the incident have chosen not to respond, we are forced to refrain from disclosing specific details about the incident/ leakage. Doing so would endanger the privacy and security of all individuals involved.
The PM-JAY
The government claims the PM-JAY to be the largest health assurance scheme in the world. It aims to provide a cashless health cover of Rs. 5 lakhs per family per year for secondary and tertiary care hospitalization. The insurance cover extends to over 10.74 crores poor and vulnerable families (approximately 50 crore individuals).
To implement the scheme, the Ministry of Health and Family Welfare conceived the idea of a federal architecture, for the management of digital health data to ensure interoperability, technological flexibility and independence across the National Digital Health Ecosystem (NDHE). To participate in the NDHE, the National Digital Health Mission issues a Health ID to any eligible individual. It contains certain “personal health identifiers”, including a person’s name, family and relationship information, and contact details. When an individual presents the Health ID to a participating healthcare provider, it allows them to receive the individual’s lab reports, prescriptions, and diagnosis digitally.
The Breach
What is alarming and demands immediate attention is the fact that miscreants have created multiple websites which impersonate the scheme to lure citizens into sharing their personal data. These webpages claim to register/ enrol people as beneficiaries under PM-JAY and harvest crucial data of citizens including Aadhaar card. The National Health Authority has recently released a public advisory releasing details of multiple such websites.
One such website chose to upload 42 excel sheets, detailing PM-JAY beneficiaries from both rural and urban areas of Haryana. Collectively, these files are leaking data of 7 lakh+ Ayushman Bharat, or PM-JAY beneficiaries. They include the following key information:
- 29-digit Abridged House List Temporary Identification Number
- 27-digit Temporary Identification Number- National Population Register
- 24-digit House Hold ID number given to each family in the Socio Economic Caste Census (SECC), linked with Ayushman Bharat Scheme.
- Ration Card Number
- Full Address
- Details of Family including Spouse
- Date of Birth
- Mobile Number
- Caste group
- Income Source
Unfortunately, we have not been able to independently ascertain the source of the information, apart from this website. It could be from the SECC, or from the beneficiary registration process of PM-JAY.
Reporting the incident
When we came across the trove of data, we immediately wrote to the Chief Secretary (Electronics & IT), Govt. of Haryana, along with Mr. Ajay Lakra, Chief Grievance Officer CERT-In, as well as NCIIPC. Raising the issue as a major leak of personal information of citizens and a violation of their right to privacy, we provided complete details of the website, shared all relevant URLs, and requested their urgent intervention. We also requested them to take down the website immediately and initiate an investigation to plug the leak. Especially so since the said website is easily searchable through Google, and also maintains a Twitter account impersonating a government initiative, with over 8k followers!
However, we did not receive any response from either of the authorities. We followed up with them 3 days later and reiterated our request. Sadly, we are yet to receive a response.
Conveniently enough, after our follow up email, the files disappeared from the front end of the said website (removed from the menu). But since we had initially saved the URLs to the said excel sheets, we were able to access the files indicating that they are still available in the website database.
We once again request the concerned authorities to take up the issue proactively and protect the privacy of fellow citizens. Besides, we also reiterate our commitment towards the issue, and we would be happy to share all the information available with us.
A few screenshots are attached to support the information.
Update (31st May, 2021, 04:30 p.m.): Post publication of this article, the said website is inaccessible. However, once again, with convenience, the website has been put on maintenance mode. This raises suspicion about involvement of public officials in the issue. (In case you missed it earlier, when we wrote a follow up to all concerned authorities, the option to download data was removed from the website menu within a few hours. However, the data was still available in the back-end, accessible through previously saved links.)
It must be also borne in mind that the leaked data is still out there, and it would be impossible to get to the root of the issue without a proper investigation.
Since the website is no more accessible, we would like to share more details about the issue.
Update (04th June, 2021, 02:30 p.m.) : It appears that the website has been taken down completely. We are thankful to the authorities for acting on our complaint.
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, don’t forget to subscribe to our Newsletter.
You can also follow us on Instagram, Facebook, LinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.
