Cyber Security

Exclusive: Govt.’s flagship ‘Ayushman Bharat’ is leaking personal data of 7 lakh+ citizens

My Lawrd has learnt that India’s flagship health scheme ‘Ayushman Bharat’ is actively leaking personal data of 7 lakh+ citizens of India. Ayushman Bharat envisages a segmented approach of health service delivery to a comprehensive need-based health care service and the government has been actively collecting personal data of crores of citizens under this scheme. Launched in September 2018, a key component of the scheme is the Pradhan Mantri Jan Arogya Yojna (PM-JAY). It was launched by Prime Minister Narendra Modi himself.

Note: Since the data is still publicly available, and the authorities who are aware of the incident have chosen not to respond, we are forced to refrain from disclosing specific details about the incident/ leakage. Doing so would endanger the privacy and security of all individuals involved.

The PM-JAY

The government claims the PM-JAY to be the largest health assurance scheme in the world. It aims to provide a cashless health cover of Rs. 5 lakhs per family per year for secondary and tertiary care hospitalization. The insurance cover extends to over 10.74 crores poor and vulnerable families (approximately 50 crore individuals).

To implement the scheme, the Ministry of Health and Family Welfare conceived the idea of a federal architecture, for the management of digital health data to ensure interoperability, technological flexibility and independence across the National Digital Health Ecosystem (NDHE). To participate in the NDHE, the National Digital Health Mission issues a Health ID to any eligible individual. It contains certain “personal health identifiers”, including a person’s name, family and relationship information, and contact details. When an individual presents the Health ID to a participating healthcare provider, it allows them to receive the individual’s lab reports, prescriptions, and diagnosis digitally.

The Breach

What is alarming and demands immediate attention is the fact that miscreants have created multiple websites which impersonate the scheme to lure citizens into sharing their personal data. These webpages claim to register/ enrol people as beneficiaries under PM-JAY and harvest crucial data of citizens including Aadhaar card. The National Health Authority has recently released a public advisory releasing details of multiple such websites.

One such website chose to upload 42 excel sheets, detailing PM-JAY beneficiaries from both rural and urban areas of Haryana. Collectively, these files are leaking data of 7 lakh+ Ayushman Bharat, or PM-JAY beneficiaries. They include the following key information:

  • 29-digit Abridged House List Temporary Identification Number

  • 27-digit Temporary Identification Number- National Population Register

  • 24-digit House Hold ID number given to each family in the Socio Economic Caste Census (SECC), linked with Ayushman Bharat Scheme.

  • Ration Card Number

  • Full Address

  • Details of Family including Spouse

  • Date of Birth

  • Mobile Number

  • Caste group

  • Income Source

Unfortunately, we have not been able to independently ascertain the source of the information, apart from this website. It could be from the SECC, or from the beneficiary registration process of PM-JAY.

Reporting the incident

When we came across the trove of data, we immediately wrote to the Chief Secretary (Electronics & IT), Govt. of Haryana, along with Mr. Ajay Lakra, Chief Grievance Officer CERT-In, as well as NCIIPC. Raising the issue as a major leak of personal information of citizens and a violation of their right to privacy, we provided complete details of the website, shared all relevant URLs, and requested their urgent intervention. We also requested them to take down the website immediately and initiate an investigation to plug the leak. Especially so since the said website is easily searchable through Google, and also maintains a Twitter account impersonating a government initiative, with over 8k followers!

However, we did not receive any response from either of the authorities. We followed up with them 3 days later and reiterated our request. Sadly, we are yet to receive a response.

Conveniently enough, after our follow up email, the files disappeared from the front end of the said website (removed from the menu). But since we had initially saved the URLs to the said excel sheets, we were able to access the files indicating that they are still available in the website database.

We once again request the concerned authorities to take up the issue proactively and protect the privacy of fellow citizens. Besides, we also reiterate our commitment towards the issue, and we would be happy to share all the information available with us.

A few screenshots are attached to support the information.

Ayushman Bharat leaking data

Ayushman Bharat leaking data
Ayushman Bharat leaking data

Update (31st May, 2021, 04:30 p.m.): Post publication of this article, the said website is inaccessible. However, once again, with convenience, the website has been put on maintenance mode. This raises suspicion about involvement of public officials in the issue. (In case you missed it earlier, when we wrote a follow up to all concerned authorities, the option to download data was removed from the website menu within a few hours. However, the data was still available in the back-end, accessible through previously saved links.)

It must be also borne in mind that the leaked data is still out there, and it would be impossible to get to the root of the issue without a proper investigation.

Since the website is no more accessible, we would like to share more details about the issue.

Screenshot of website leaking data of Ayushman Bharat scheme, affecting 7 lakh+ citizens, the last menu option ‘Ayushman Bharat Pending Families Data’ is relevant

Present status of the website.

Update (04th June, 2021, 02:30 p.m.) : It appears that the website has been taken down completely. We are thankful to the authorities for acting on our complaint.

Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, don’t forget to subscribe to our Newsletter.

You can also follow us on InstagramFacebookLinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.