A woman wearing a face mask looks at her smartphone as she walks through a street in Moscow, Russia, November 23, 2020.  © 2020 AP Photo/Alexander Zemlianichenko

Last week, Russian media reported a major personal data leak of Covid-19 patients admitted to Moscow hospitals, as well as Muscovites who had been ordered to self-quarantine, or fined over violating the self-quarantine regulations.

According to the online news outlet Readovka, the leaked data included names, home addresses, insurance numbers, phone numbers and medical data of up to 300,000 people. Most of the information, collected by Moscow authorities, dates to spring 2020, but some is as recent as November. The data, which is stored on online spreadsheets, were circulated via Telegram, a popular messaging app, and can be downloaded without any special authorization. According to the outlet, the leaked spreadsheets got deleted from Telegram. 

Moscow Department of Information Technology confirmed the personal data leak alleging that unidentified staff leaked the information. Authorities promised to take action and an official inquiry is on-going.

Russian law provides for special protection of medical data and bans processing of such data without patients’ consent, with exceptions including for the protection of public health. Some medical information, such as the patient’s diagnosis, is also protected under doctor-patient confidentiality clause.   

This data leak highlights the threats to privacy created by large-scale data collection during the pandemic. In April, experts expressed concerns about excessive gathering and retention of data collected by Moscow authorities via the “social monitoring” app designed to track people with Covid-19.

This is not the first leak of personal data collected in Moscow. In May, data privacy experts were able to access personal accounts of those fined for violating self-quarantine regulations by entering random numbers because the website allowed an unrestricted number of login attempts. In September, the investigative authorities in Moscow opened a criminal case into the alleged sale of facial recognition data by two law enforcement officers.

While collection of data about the spread of Covid-19 may be important to contain the pandemic, authorities should ensure that data collection efforts are guided by the principles of necessity and proportionality and develop comprehensive and transparent regulations on data collection and storage with robust data security safeguards.