Data PrivacyICMR Data Breach: A Reckoning for Data Protection Mechanisms in Critical Government Infrastructure

INTRODUCTION

The Indian Council of Medical Research (hereinafter referred to as “ICMR”) is the apex body in India that works for the formulation, coordination, and promotion of biomedical research and helps translate medical innovations into products/processes and introduce them into the public health system. Recently, India had one of its most extensive data breaches reported where the Personal Identifiable Information (hereinafter referred to as “PII”) of 81.5 Crore (815 Million) Indian citizens was allegedly made available for sale on the dark web.

The details included the name, age, gender, address, UIDAI issued Aadhaar number, and passport number of approximately 4 lakh citizens have already been uploaded as sample files on the dark web. In the view of the foregoing, cyber experts have asserted that potentially 90 GB of Data has been extracted from ICMR servers, thus bringing the need to safeguard health and medical data in the limelight.

An American Cyber Security firm was the first to report the massive data breach. It said in a blog post that its HUNTER (HUMNIT) unit identified millions of PII records belonging to Indian residents being offered for sale on the dark web.

On 09.10.2023, a fraudster with the username ‘pwn0001’ posted a thread on a platform called Breach Forums, providing access to 815 million Indian Citizen’s Aadhar & Passport details, which was put up for sale at $80,000. Previously there have been numerous cyber-attack attempts in the Government and private sectors especially in the last year. The incident has been reported to Indian Computer Emergency Response Team (hereinafter referred to as “Cert-In”) and currently, the Central Bureau of Investigation (hereinafter referred to as “CBI”) and Cert-In are investigating on the matter.

REMEDIAL ACTION & SAFEGUARDING HEALTH AND MEDICAL DATA

ICMR’s data breach has necessitated the need for a robust and secure data protection architecture which is pivotal for one and all organizations, especially Government organisations and those which are engaged in the healthcare sector. Owing to the bulk and sensitive nature of the data being collected, it is of paramount importance to protect user privacy, maintain the integrity of healthcare systems, and ensure compliance with data protection regulations.

The following key steps and/or best practices should be implemented in order to mitigate the risks of exposure and safeguard the PII often stored on the servers and databases of organisations:

1. Access Control

Implementing strict access control measures to ensure that only authorized personnel can access medical data is one of the fundamental steps in safeguarding the PII stored on the servers or databases of an organisation. Furthermore, role-based access control (“RBAC”) can be implemented to grant appropriate permissions based on job roles and responsibilities. Access Controls also help in eliminating insider risks, unwarranted exposure of data, accidental data leaks, hacking, etc.

2. Encryption

Encrypting data which it is at rest and is in transit secures the data in a holistic manner. Encryption protocols such as transport layer security (hereinafter referred to as “TLS”), or measures such as full disk encryption, or database encryptions are the need of the hour, especially in the light of such massive data breaches.

3. Regular Auditing and Monitoring

Organisations should implement comprehensive auditing and monitoring systems to track who accesses the data and what is further done with such data. Regular reviews and analysing audit logs for suspicious activities can minimize the risk of fraudulent activities.

Regular monitoring and assessments also helps in ascertaining whether any unnecessary data is being retained, whether the database contains outdated or inaccurate data, etc.

4. Secure Software and Systems

Often, cybersecurity breaches and data leaks are a result of poor or outdated software security systems. Hence, it is pertinent to keep software and systems up-to-date with security patches and updates.

5. Employee Training and Awareness

Even in the era of digital data protection, employees lack awareness about the standard data protection measures, the implication of digital footprints and how to efficiently manage the data of users. In the light of the same, comprehensive training should be provided to the staff and employees on data security, privacy policies, and best practices.

In fact, a culture of security awareness should be created to ensure that the employees understand their individual roles in safeguarding the personal data stored and transferred by the organisation.

6. Legal Instruments

Legal instruments such as contracts and agreements, policies, notices, etc., form the legal basis of the data protection ecosystem of an organisation. Hence, such legal instruments should be carefully drafted, in a tailor-made manner, keeping in mind the best interests of both the organisation and the users.

7. Disaster Recovery and Incident Response

In the event of data breaches such as the present one, data recovery and incident response plans play a huge role in mitigating the adverse effects of such data leaks. Disaster recovery plans should be developed and tested on a regular basis, to ensure the continuity of the services and eliminating the risks that comes with unwarranted data exposure. The two key ingredients to develop an incident response plan is : prompt action and effective solution.

AMLEGALS REMARKS

There has been immense increase in the cases of data breach both in public and private sectors. Safeguarding any kind of PII or sensitive personal data requires a holistic approach, involving not only technical measures but also organizational policies and practices. Continuous vigilance, proactive security measures, communication, and transparency are essential to protect sensitive information and maintain the trust of the data principals and the stakeholders.

In the event of a data breach such as that of the ICMR, a swift and well-coordinated incident response is crucial. Organizations must immediately initiate the pre-established incident response plan, involving key stakeholders and cybersecurity experts. Subsequently, the response should include identifying the extent and nature of the breach, containing and mitigating the damage, notifying affected individuals and regulatory authorities as required by law, preserving evidence for forensic analysis, and taking steps to prevent future breaches.

For any query or feedback, please feel free to get in touch with mridusha.guha@amlegals.com or jason.james@amlegals.com