In yet another COVID-19 patient data breach, the database from arogya.karnataka.gov.in, maintained by the state of Karnataka, India, has been leaked. The user claims that the database contains personal ID, name, address, phone no., email, and password, among others. 
The sample listed with the post indicates that the leaked data reportedly includes information from regions including Bengaluru (Bangalore). The data was allegedly leaked from databases maintained by the state government and private labs collecting COVID-19-related information.
The total COVID-19 cases registered in Karnataka till date is more than 4 million, which is much more than the respective populations of US states such as Oklahoma, Connecticut, Utah, Iowa, Nevada, and Mississippi.
The Cyber Express is yet to receive replies to our requests for comments sent to the state ministry of health and the state department of health.
COVID-19 Patient Data Breach and India
The post, made on Monday, had sample data of personally identifiable information (PII) from personal ID to email. The user under the alias adma3 has been active on the forum since September 2022.
This is the latest in the stream of COVID-19 patient data India faced since the onset of the disease, when government started maintaining databases. According to the official government data, India had a total of 44.7 million cases and 0.53 million deaths as of February 20.
In January 2022, a government server in India was breached, resulting in the exposure of personal data belonging to more than 20,000 people. This includes their name, mobile number, address, and Covid test results.
This sensitive information could be easily accessed through an online search, tweeted cybersecurity researcher Rajshekhar Rajaharia.
Another public health data breaches came to light around the same time, when an investigation by The Probe showed that district health authorities were uploading citizens’ Covid-19 data directly on their website without any security measures in place.
COVID-19 Patient Data Breach: Not a new thing
Last year, a blackhat hacker claimed to have hacked the information of 48.5 million Shanghai’s Covid-19 app users. On August 10, 2022, the claim was made by a user named “XJP” on the Breach Forums. The alleged actor also posted an offer of $4,000 for potential buyers of the data.
In his post, “XJP” shared a piece of stolen data, including the phone numbers, names, 18-digit Chinese identification numbers, and health code status of citizens. The hacker also shared details of 47 people in the post, and the UK-based news agency “Reuters” confirmed with eleven of the people from the data leak that they were listed in the samples.
Meanwhile, the agency (Shanghai Big Data Center) said they were only responsible for the program’s development and rejected any accusation that the data was leaked through them.