Through SatuSehat, users can access the COVID-19 vaccination history and testing results that were previously available on PeduliLindungi, as well as data on available hospital beds and laboratories that could previously only be accessed through another government app.

Health Minister Budi Gunadi Sadikin said SatuSehat would be gradually developed into a "health data bank" for all citizens, where users could access their medical histories, lab results, MRI and CT scan images and immunization records. Users would also be able to book doctor’s appointments through the app and connect it to their smart watches.

"We are currently in the process of integrating data from all health facilities, community health centers [Puskesmas], labs and pharmacies across the country. We aim to finish it by the end of the year," Budi said recently.

He said the data integration would make diagnoses easier for doctors and allow local health authorities to create disease maps and devise better public health policies.

At its peak, PeduliLindungi was used by some 105 million people in the country, as it was mandatory to check in with the app before entering public spaces during the COVID-19 pandemic. Now that all pandemic restrictions have been lifted, some 1 million Indonesians are still actively using the app, according to the ministry.

Breach after breach

Information technology and cybersecurity experts have raised concerns over the data safety and privacy of SatuSehat users, considering the government's poor track record in protecting citizens' data.

In May 2021, the personal data of some 279 million national health insurance (JKN) policyholders was allegedly hacked, including their full names, ID card numbers, email addresses, phone numbers, dates and places of birth and salary details. The data was then sold online.

In the same year, encryption provider vpnMentor flagged a suspected data breach of personal information from the now-defunct electronic Health Alert Card (eHAC), a system that was used by the Health Ministry to help with COVID-19 contact tracing. An investigation involving the ministry and other agencies was closed after investigators claimed to have found that the breaches had occurred on an unsecured third-party database and that there had been no attempts to hack into the eHAC server.

Other cyberattacks against state institutions over the past few years, including a state insurer, a telecommunications company and the Indonesian Child Protection Commission (KPAI), led lawmakers to enact the long-awaited Personal Data Protection Law last year.

Read also: House passes long-awaited privacy bill

But the government was then back in the spotlight for failing to protect citizens’ data after a hacker offered personal information allegedly belonging to users of the PeduliLindungi app for sale on a hacking site. It was the second apparent hack of a state database after the privacy law was enacted in October.

 

'Not ready'

Shevierra Danmadiyah from a coalition of civil groups that advocate for stronger data protection said Indonesia was not ready to have an app that integrated all citizens' health records. She said SatuSehat’s privacy terms and conditions contradicted the new law.

"For example, SatuSehat does not mention provisions requiring the developers to inform users should a data breach happen, as mandated by the data protection law," she said on Thursday. “A data breach would be very damaging for users, especially those who suffer from stigmatized illnesses, like HIV/AIDS."

Read also: Care and protect?: Apparent govt health app breach raises deeper data concerns

Unggul Sagena from digital rights group the Southeast Asia Freedom of Expression Network (SAFEnet) said integrating all citizens' health records into one app would add significant personal data risk.

"If hackers breach the app, they can get almost all of your important data,” he said. “This is concerning because PeduliLindungi was hacked last year, and during the development of SatuSehat, the Health Ministry did not work with non-government digital security experts to test the app’s readiness.”

Unggul also questioned whether doctors, pharmacists and other healthcare professionals would ask for citizens' consent before inputting health data into the app and whether not having the app could prevent citizens from receiving optimal care.

Health Ministry digital transformation office head Setiaji dismissed concerns over the safety of SatuSehat, saying the ministry had worked with the National Cyber and Crypto Agency (BSSN) to ensure the protection of user data.

"Data masking and encryption were used to ensure user data safety. Healthcare professionals also need users' consent to access their medical history," Setiaji said on Tuesday, as reported by Antara.