Revealed: Personal data of 37,000 Plateau State residents exposed on health care agency portal

Plateau State Contributory Health Care Management Agency (PLASCHEMA), the government-run agency set up to better the health care system in Plateau state mishandled the personal data of citizens, a new report finds. Website Planet, a company that among other things disclose data leaks and mismanagement reports that around 45GB, totalling over 75,000 files of personal information of people in the state have been left unsecured on the internet for months.

According to the report, now available on the Website Planet, passport photographs, birth certificates, national identity cards etc. all revealing applicant faces are part of the data PLASCHEMA left unsecured.

Website Planet says that its researchers “discovered PLASCHEMA’s buckets, left in open form, without any encryption or password protection, as part of our extensive web mapping project.”

It adds that it uses “web scanners to identify unsecured data stores on the internet. We responsibly analyze, secure, and report these data incidents to raise awareness about the dangers of cybercrime and help affected companies and users.”

PLASCHEMA began operation in 2019 in the state according to a press release to “regulate, supervise and implement State Social Health Insurance Scheme to provide universal health coverage for every resident of the State” and “ensure financial protection for individuals and families from huge medical bills and ensure equal distribution of health cost across different income groups.”

Many citizens apply for the programs that PLASCHEMA run for which they have to provide private information and data as part of the process to see if they meet the criteria of being eligible for a package.

Just in April this year the Director-General of PLASCHEMA, Dr Fabong Jemchang Yildam had been on a statewide campaign to sensitize citizens and politicians alike to key into some of the programs that PLASCHEMA was offering including health insurance premiums.

Now, Website Planet reports that “11 of PLASCHEMA’s AWS buckets were left unsecured without any authentication or encryption controls in place.”

AWS buckets are cloud-like infrastructures by Amazon Web Services that owners can store huge amounts of data. But AWS gives total control and access to the files to their owners, who are also tasked with making them secure and safe.

While it’s still unknown if the data have been harvested by malicious parties or used by them for nefarious activities, over 37,000 people have been affected by the PLASCHEMA’s data incident.

What could be the consequences for PLASCHEMA?

PLASCHEMA leaving applicants’ data unsecured is illegal in Nigeria, and the National Information Technology Development Agency (NITDA) could slap it with fines.

If NITDA decides to persecute PLASCHEMA for the incident, the agency could pay a fine of the equivalent to 2% of its annual turnover or 10 million Naira, typically whichever one is greater.

If malicious actors harvest the citizens’ data, they could be targets for cybercriminal activities. For one, they could be impersonated in cybercrimes which could lead to huge reputational damage and in some cases jail time.

Website Plannet said that since April it has reached out to the Nigerian government to raise an alarm about the incident, but as of early June, the applicants’ data were still left unsecured on the internet.

There is very little citizens affected can do, especially citizens without means in Nigeria. For one, they can join in raising the alarm that PLASCHEMA mishandled their personal data. At most, they can sue the agency and seek some form of compensation for PLASCHEMA being careless with their personal data.

Note: We reached out to PLASCHEMA for an official response to the claim and they promised to respond by close of business today. They are to respond at the time of publication. The report will be updated as soon as they do.