A data breach at Sri Lanka’s Ministry of Health website has potentially exposed nearly 400,000 records that are believed to belong to patients and medical personnel. The breach was first identified by Twitter account FalconFeeds, which reported that an anonymous user is selling the compromised data—specifically, 398,769 records—on an infamous data breach forum.

As of now, it remains unclear how the Ministry of Health’s systems were compromised or the extent of the breach. However, the post’s sample dataset indicates that the breached data at least includes NICs, phone numbers, addresses, medical appointment details, and other sensitive personal information.

As per the post, the seller is asking a ransom of $3,000 for the dataset. But despite the post being up for more than a day, the Ministry of Health has yet to issue any statement regarding the incident.

Another day, another government site hack

This isn’t the first time a state-owned health system has been compromised in recent years. Mobitel’s e-channeling platform was leaking patient data until a Reddit post made the vulnerability public last November. The Ministry of Health website itself has been defaced at least three times since 2020.

Unfortunately, the issue far exceeds the health sector. The Ministry of Health data breach follows a string of cybersecurity incidents around government-run digital properties. The government’s digital infrastructure has been a routine target for many years. But a combination of increasingly ambitious bad actors and lagging security processes has only painted the Government of Sri Lanka a wider mark. Whether it’s running websites with no SSL certificates or losing entire email databases, the government’s track record continues to be abysmal.

However, the private sector hasn’t fared all that better either. In 2022, a PayHere hack exposed over 1.5 million records amounting to 65GB of data, in what was the biggest data breach in Sri Lanka at the time. Three years later, a Cargills Bank data breach exposed over 1.9 terabytes of data.

Even a small-scale enterprise like Wishque isn’t safe from data breaches

Lagging legislation

Incidentally, the Ministry of Health data breach comes less than two months after the government revealed plans to establish the Cyber Security Authority, a core part of the proposed Cyber Security Bill. The government also stated that it aims to set up the National Cyber Security Operations Centre (NCSOC) under Sri Lanka CERT.

According to Deputy Digital Minister Eranga Weeraratne, the NCSOC will initially implement real-time monitoring of critical government systems such as the Inland Revenue Department and the Central Bank of Sri Lanka. The ministry plans to expand its capabilities to real-time surveillance of critical data infrastructure in both public and private sectors.

Apart from the Cyber Security Authority and the NCSOC, the government also approved a five-year Cyber Protection Strategy plan for the 2025 – 2029 period. Unfortunately, the current status of the government’s digital infrastructure and the attitude towards security do little to inspire confidence.

For instance, the Personal Data Protection Act was passed into law in 2022. Its Data Protection Authority is yet to be operational. More importantly, the implementation of the act itself remains nonexistent to this day. Even amid the slew of data breaches and security incidents since its passing into legislation, the act has done little to protect citizen data.

Sri Lanka has been through enough wake-up calls for the government to take better care of its digital infrastructure. But the Ministry of Health data breach sadly says otherwise.