Passport data, addresses, diagnoses, test results of 300 thousand patients were in the public domain. The city authorities are looking for the guilty. Novye Izvestia spoke with several residents of the capital, whose data was leaked.
Muscovites who had been ill with coronavirus, in addition to hospital hardships, were "rewarded" with another problem - the leakage of their personal data.
On the night of December 9, more than 362 Excel, Word, JPG files were discovered on the Internet on the Google Docs service overnight; 60 spreadsheets (some of them up to 100 thousand rows) - the total amount of data is approaching a gigabyte (940 MB). The leak contains information about about 300 thousand patients who were treated for covid or who went to medical institutions in the capital for help with suspicion of this diagnosis in the spring and summer of 2020.
Full name, dates of birth, addresses of registration and actual residence, numbers of passports, cell phones and compulsory medical insurance policies, attachment to clinics, diagnoses and the nature of the course of the disease in patients, decisions on hospitalization and issuance of certificates of incapacity for work, enrollment in risk groups, visiting specific foreign countries with dates and flight numbers, lists of "quarantine violators" are now available to a wide range of people. Novye Izvestia was also able to download these files without any problems.
In a word - a luxurious gift for scammers of all stripes, and the target is people who have recently fought with the disease, including many elderly people.
The most recent file is dated 06/12/2020.
Among those that have come to the public can be found, for example, tables under such names as "Discharged from Kommunarka (Moscow)", "Service areas", "CT centers all", "Violating quarantine", "Consolidated", "CT centers defects "," Discharges from the hospital "," Strangers "," Patient registration switching plan "," Pneumonia at home ", " Responsible for completing a new program " , etc.
In addition to the archive with files, links to closed Telegram chats of Moscow hospitals and ambulance stations were posted for open access. According to media reports, data on 1C servers and keys for connecting to the registration system for coronavirus patients also appeared on the Web.
Computer security experts agree that Pavel Sitnikov, a well-known cyber specialist with an ambiguous reputation (known as underground, Tobin Frost, Slippery Fox, flatl1ne, some of his nicknames are blocked on shadow forums), may be involved in the dissemination of personal and medical data of Muscovites for illegal actions, fraud).
It was through his telegram channel that a text file containing links to archives with personal data and Google Docs was posted today at 0:23. After a while, the post with files available for download was deleted, but a record about it was preserved on the sites for collecting Telegram statistics.
The special correspondent of Novye Izvestia called ten “people from the lists” and asked how they feel about the leakage of their personal data, including from medical institutions? All of them confirmed their hospitalization with a diagnosis of COVID-19 in Moscow, or contacting state medical institutions and diagnostic centers in order to be examined for this diagnosis, or instructions issued to them for placement in observation or home quarantines.
“I applied to Kommunarka for coronavirus tests, but I didn’t lie there. I have a negative attitude, of course, to this leak. I will think about filing lawsuits to protect my rights”, - said Vitaly G.
“It's bad, of course, that my data is available to everyone. I can only express regret that our hospitals have not learned how to properly work with personal data. And you know, you're not the first person to call about my covid diagnosis - this leak is already number two. A few months ago, people who had nothing to do with medicine already called me, and they also asked similar questions. The prosecutor's office should monitor the implementation of the law on personal data, if we talk about state medical institutions”, - says Alexey S.
“I had been ill in Paris, then I returned to Russia and here, after my illness, I decided to simply check for the consequences. I did a CT scan at a local hospital, the examination showed that by that time she was already completely healthy. Of course, this leak is a very unpleasant event for me. Thank you for the warning”, - said Maria Ch.
“Yes, I was sick in the spring. To be honest, I don't care what happened there and where. I don't plan to deal with this in any way”, - commented Natalya K.
Rever Jonas, an entrepreneur with German citizenship , CEO of Deutsche Leasing Vostok JSC, also confirmed that in the spring of 2020 he came to Kommunarka with a confirmed diagnosis of COVID-19:
“This is not critical for me, everyone already knows that I was sick. My personal data is already quite open, all requests from government agencies come to me by e-mail. The level of personal data protection in Russia, of course, is not very high. At the entrance to any business center, the guards rewrite personal data in their logs, and no one can control this, although federal law No. 152 "On personal data" prohibits this and provides for fines, but in practice there are no sanctions, therefore, the personal data of citizens - everywhere. This logic is not very clear to me.
I was treated in Kommunarka in early March, when the clinic was not officially open yet. Doctors and nurses - kind and good, did everything they could. And what amazed me - absolutely free, I was treated under VHI insurance, and did not pay a penny - not for a single room, not for food, or for medical services, they even allowed me to bring in a refrigerator that my friends brought. This is rare because I know people who have been made to pay unfunny sums for coronavirus treatment. For me personally, the stay there was 5 points. But the medical staff was already terribly lacking. The technique is new, but the experts did not know how to use it. The situation of the patients is, of course, extreme".
“At work, we did tests for coronavirus (not the public sector). The result was negative, the disease was not confirmed. It is strange that I ended up in these databases - probably some kind of mistake”, - said Oksana Ch, in the column opposite to which there is hospitalization with a positive repeat test.
“Do you know how much a lawyer's services cost in Russia? The skin of the dressing is not worth it - to apply for some kind of compensation due to leaks. I'm just glad that this information of mine will be useful to someone. Do you know why? Because despite any laws on the protection of personal data, all data about me, you, any citizen can be found without problems. Give me just 10 minutes, as they say”, - comments Sergey K.
The wife of Vladislav B. tearfully tells that her husband was transferred to Kommunarka from the district clinic, where he was lying with other diagnoses, but caught a covid.
“These were the worst two weeks. Terribly unpleasant. After all that a person has endured due to illness, of course, it is not at all up to the point of going and dealing with some kind of personal data, we would have to reach the store. We were not treated properly, they said: “What do you want? Here, young people are dying, but you are still alive and okay. " In May he was discharged, but his condition is still very bad, the person is deaf, and, of course, a rehabilitation period is needed, but no one even offers it".
According to Art. 13 No. 323-FZ "On the Basics of Health Protection of Citizens in the Russian Federation" information about the fact of a citizen's appeal for medical care, his state of health and diagnosis, other information obtained during his medical examination and treatment constitutes a medical secret.
"According to the law, information about a citizen's appeal for medical care at all cannot go beyond the medical organization that worked with the patient. The medical organization guarantees their preservation, and only law enforcement or judicial authorities can request them from hospitals. The December 9 leak is more than just disclosing personal data of patients. The first question in this story is what are the lists? Why did medical organizations even share patient data with someone else? Who collected them in one place and on what basis, who kept these tables? Who authorized / ordered this to be organized? The collected database is illegal. There should be a trial by the UK and the prosecutor's office. Officials will now, of course, begin to hide behind extreme conditions during a pandemic. But let me remind you that today WHO did not officially recognize the outbreak of coronavirus as a pandemic", - says Alexander Saversky, an expert of the State Duma Interfactional Working Group on Drug Supply and Circulation, President of the League of Patients.
Indeed, how did the “sensitive”, detailed information, which should be protected not only by the law “On Personal Data”, but is essentially a medical secret, got into the network?
The leaked summary tables themselves contain notes that the data was filled in by a certain "Committee of Public Services".
"Leaked tables are data from a flash drive or from a computer, manually copied by a person. No, the drain has nothing to do with social monitoring, this is data that was collected daily in April-June 2020. Moreover, the nature of these data suggests that they are not from some particular hospital, but from the place where this data was combined and processed, that is, this is not a hacking of some server. There are many leak scenarios. For example, it could be an attack on the computer of one of the employees, or a trite lost flash drive. In addition to the fact that such information should not be publicly available at all, the question also arises about the expediency of storing and processing it on the servers of a foreign company Google", - comments Alexander Vurasko, head of the digital threat analysis department at Infosecurity, former speaker of the K Department of the Russian Interior Ministry...
The Moscow authorities also acknowledged the leak. A preliminary version of what happened was outlined by the head of the Moscow Department of Information Technologies Eduard Lysenko:
“There were no break-ins or any other unauthorized interference in the operation of the information systems of the Moscow Government. The leak occurred due to the human factor: the employees who were involved in the processing of official documents allowed the transfer of these files to third parties. The check continues, and measures will be taken based on its results”, - he said.
The Moscow government and the headquarters for the fight against coronavirus promised to soon report on the results of their own check on the fact of data leakage from Muscovites.
The leaking of databases with data from residents of the capital, who had been ill with covid, once again revived discussions about foxing with statistics in Russia.
Studying the bases that made their legs, everyone can see noticeable discrepancies with the data of the Moscow City Hall on the number of cases of COVID-19. For example, according to data from the leaked summary tables, by April 24, 52,596 people were sick with coronavirus in Moscow. The official reports published by the headquarters on April 24 gave only 36,897 infected people in the capital by this day.