Personal data of 37,000 Plateau State residents exposed on healthcare agency portal

The Plateau State Contributory Healthcare Management Agency (PLASCHEMA), the government agency set up to improve the healthcare system in Plateau State, mishandled citizens’ personal data, according to a new report. Planet websitea company that discloses data leaks and mismanagement, among other things, reports that about 45 GB, totaling more than 75,000 personal information files of people in the state, were left unsecured on the Internet for months.

According to the report, now available on the Planet website, passport photos, birth certificates, national identity cards, etc., all of the tell-tale faces of applicants are among the data left unsecured by PLASCHEMA.

Website Planet says its researchers “discovered the buckets of PLASCHEMA, left open, without any encryption or password protection, as part of our extensive web mapping project.”

He adds that he uses “web scanners to identify insecure data stores on the Internet. We analyze, secure and report these data incidents responsibly to raise awareness of the dangers of cybercrime and to help affected businesses and users.

PLASCHEMA Managing Director, Dr. Fabong Jemchang Yildam. Image source: PLASCHEMA

PLASCHEMA started its activities in 2019 in the state according to A press release to “regulate, supervise, and operate the state social health insurance system to provide universal health coverage to all residents of the state” and “to provide financial protection to individuals and families against huge medical bills and ensure an equal distribution of health costs among different income groups”.

Many citizens apply for the programs that PLASCHEMA run for which they have to provide private information and data as part of the process to see if they meet the criteria of being eligible for a package.

In April this year alone, the CEO of PLASCHEMA, Dr. Fabong Jemchang Yildam, was in a statewide campaign to sensitize citizens and politicians to seize some of the programs offered by PLASCHEMA, including health insurance premiums.

Now, Website Planet reports that “11 of PLASCHEMA’s AWS buckets failed to be secured without any authentication or encryption controls in place.”

Personal data of 37,000 Plateau State residents exposed on healthcare agency portal
A sample birth certificate downloaded from the site. Source: Site Planet

AWS buckets are Amazon Web Services cloud-like infrastructure whose owners can store massive amounts of data. But AWS gives full control and access to files to their owners, who are also responsible for keeping them safe and secure.

Personal data of 37,000 Plateau State residents exposed on healthcare agency portal
Personal Data – an identity card of a resident of Plateau State. Source: Website Planet

Although it is still unclear whether the data was harvested by malicious parties or used by them for nefarious activities, more than 37,000 people were affected by the PLASCHEMA data incident.

Personal data of 37,000 Plateau State residents exposed on healthcare agency portal
A sample driver’s license was downloaded from the website. Source; Planet website

What could be the consequences for PLASCHEMA?

PLASCHEMA leaving candidate data unsecured is illegal in Nigeria, and the National Information Technology Development Agency (NITDA) could issue fines.

Plateau State-run PLASCHEMA left more than 37,000 citizens' personal data unsecured - report
Plateau State-run PLASCHEMA left more than 37,000 citizens’ personal data unsecured – report

If NITDA decides to sue PLASCHEMA for the incident, the agency could pay a fine equivalent to 2% of its annual turnover or 10 million naira, usually whichever is greater.

For the 37,000 people involved, information including their full official names, dates of birth, height, gender, occupation, blood type, address, state, city/village, local government area, place of birth, parents’ full names, registration details, are now compromised.

If malicious actors harvest citizen data, they could be the target of cybercriminal activity. For one thing, they could pose as cybercrimes, which could lead to huge reputational damage and, in some cases, jail time.

The Plannet website said that since April it had contacted the Nigerian government to raise the alarm about the incident, but by early June applicants’ data was still unsafe on the internet.

There is very little that concerned citizens can do, especially destitute citizens in Nigeria. On the one hand, they can join in the alarm bells that PLASCHEMA has mishandled their personal data. At most, they can sue the agency and seek some form of compensation for PLASCHEMA’s negligence with their personal data.

Note: We reached out to PLASCHEMA for an official response to the claim and they promised to respond by close of business today. They are to respond at the time of publication. The report will be updated as soon as they do.

If you would like to be featured in our Entrepreneur Spotlight, click here to share your startup story with us.

Source link

Comments are closed.