Cybersecurity Flaw Compromises Patient Data at Bengaluru Hospital Chain

A significant cybersecurity vulnerability on the website of Sagar Hospitals in Bengaluru exposed confidential patient data to potential exploitation, according to a complaint filed with the Indian Computer Emergency Response Team (CERT-In).

Incident Details

Date of Discovery: August 12, with preliminary acknowledgment from the National Critical Information Infrastructure Protection Centre (NCIIPC) on August 9.
Nature of Vulnerability: An Insecure Direct Object Reference (IDOR) flaw was identified by cybersecurity researcher Sourajeet Majumder. This type of vulnerability allows unauthorized access to files or records based on user input without proper validation or access control.
Affected Data: The flaw risked exposure of sensitive patient information, including names, phone numbers, ages, genders, Unique Health Identifiers (UHID), and detailed test results. Confidential reports of minors and senior citizens were also at risk.

How It Was Discovered

Majumder found the vulnerability while scanning a QR code from a lab report at Sagar Hospitals’ Jayanagar branch. The QR code directed him to a section of the hospital’s website where lab reports could be downloaded without additional verification, potentially compromising hundreds of patient reports.

Hospital Response

Immediate Action: Upon being contacted by DH on August 14, Sagar Hospitals disabled access to the affected sub-domain.
Official Statement: Jaba M Roy, General Manager (Branding, Media, and Communication) at Sagar Hospitals, stated that the hospital has engaged its legal team for an internal investigation.

Recommendations

Majumder recommends implementing two-factor authentication (password and OTP) to enhance data security and prevent similar vulnerabilities in the future.

Current Status

The vulnerability has been addressed, and further investigation is underway by the hospital’s legal and cybersecurity teams.