Indian Government’s eHospital system exposed 2.48 billion medical records due to misconfigured server

Representatives of the Indian government announced the patching of a security issue in eHospital, its system for the management of healthcare information, which would have resulted in the exposure of the personal records of millions of patients, including full names, dates of birth, and telephone numbers.

According to the report published at Gadgets 360, the eHospital portal was designed to digitize records of government hospitals and store all the information of medical facilities and personnel on a single platform.

Bob Diachenko, a renowned security researcher, discovered that the leak of the eHospital system was due to a misconfigured Elasticsearch cluster, which allowed anyone with notions in this subject to access the information stored in this system.

Diachenko shared his findings with Gadgets 360, which reached out to the National Informatics Centre (NIC), developers of the eHospital system. NIC security teams addressed the flaw soon after the report was acknowledged.

In its security alert, NIC admits that the incident may have led to the exposure of sensitive data: “Sometimes developers forget to close access to information systems, leading to data breaches. The issue was addressed as soon as it was reported… We are grateful for the timely reporting on this error,” the NIC adds.

Recent data indicates that eHospital processed the records of some 4.8 million patients in India during the month of April alone, in addition to recording some 2.48 billion transactions since its launch in 2015. The system keeps records of 631 hospitals in Indian territory including both state hospitals and central government facilities.

At the end of 2021, the Union Ministry of Health began keeping digital records of all medical facilities and health personnel under the Ayushman Bharat Digital Mission. In addition to eHospital, the NIC promoted the creation of the Center for Development of Advanced Computing (C-DAC), responsible for digitizing health records at the regional level.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.