KUALA LUMPUR, Oct 24 – Personal data of patients on the government-linked National Neurology Registry’s (NNR) website has been found to be freely available due to a scripting error.
According to Free Malaysia Today (FMT), the registry’s database was downloadable and editable; and it allowed anyone to and see the NRIC numbers, phone numbers, addresses and other data pertaining to more than 17,000 patients.
“I must say this is a shame to the country for not protecting patient data and violating patients’ confidentiality.
“It doesn’t even take an IT person like me to figure out how to get the data,” FMT cited a source from Canada, who reportedly discovered the leak first, via a broken link on the website, when scouting for information on Malaysian neurology patients.
According to FMT, the registry, sponsored by the Ministry of Health (MOH), was developed in 2008 by Rocket Integration Technology, a company based in Shah Alam.
“I’ll say they are easily hackable because developers are too lazy to do a proper job,” the report quoted Universiti Sains Malaysia’s (USM) IT lecturer Selvakumar Manickam.
Selvakumar had previously stress-tested many government websites.
He said that programmers would need to work on file access permission after creating the websites.
“But this is a tedious job. So, they just leave the access unchanged, allowing the websites to be easily hackable. They do that because it makes life easier for them, he added.
The latest exposes episode, comes merely weeks after digital forum website Lowyat.net highlighted security protocol weaknesses in Putrajaya’s Bantuan Sara Hidup (BSH) or Cost of Living Aid website, which exposes bank account numbers of the aid recipients by merely keying in their identification card digits.