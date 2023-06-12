New Delhi The Centre on Monday said that the CoWIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy and termed the media reports claiming breach of data of beneficiaries who have received COVID vaccination in the country as mischievous in nature There are some media reports claiming the breach of data of beneficiaries who have received COVID vaccination in the country on some social media platforms These reports allege a breach of data from the CoWIN portal of the Union Health Ministry which is repository of all data of beneficiaries who have been vaccinated against COVID19 the statement saidCertain posts on the social media platform Twitter have claimed using a Telegram online messenger application BOT the personal data of individuals who have been vaccinated is being accessed It is reported that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiaryAccording to the statement it is clarified that all such reports are without any basis and mischievous in nature The CoWIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy Furthermore security measures are in place on the CoWIN portal with Web Application Firewall AntiDDoS SSLTLS regular vulnerability assessment Identity amp Access Management etc Only OTP authenticationbased access to data is provided All steps have been taken and are being taken to ensure the security of the data in the CoWIN portalCOWIN was developed and is owned and managed by MoHFW An Empowered Group on Vaccine Administration EGVAC was formed to steer the development of COWIN and for deciding on policy issues The former CEO National Health Authority NHA chaired EGVAC which also included members from MoHFW and MeitY the statement addedCoWIN data access At present individual level vaccinated beneficiary data access is available at three levels as below Beneficiary dashboard The person who has been vaccinated can have an access to the CoWIN data through use of registered Mobile number with OTP authenticationCoWIN authorized user The vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries But the COWIN system tracks amp keeps record of each time an authorized user accesses the COWIN system API based access The third party applications who have been provided authorised access of CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authenticationTelegram BOT Without OTP vaccinated beneficiaries data cannot be shared to any BOT Only Year of Birth YOB is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also BOT mentioned date of Birth DOB There is no provision to capture address of beneficiaryThe development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP In addition to the above there are some APIs that have been shared with third parties such as ICMR for sharing data It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar However even this API is very specific and the requests are only accepted from a trusted API that has been whitelisted by the CoWIN application the statement further saidUnion Health Ministry has requested the Indian Computer Emergency Response Team CERTIn to look into this issue and submit a report In addition an internal exercise has been initiated to review the existing security measures of CoWIN CERTIn in its initial report has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database ANI