#DataScam: Data Recovery Agreements sent to AG for approval

COLOMBO (News 1st); All the agreements with regard to the recovery of missing data from the Lanka Government Cloud Server of the National Medicines Regulatory Authority have been directed to the Attorney General for approval.

A senior officer of the NMRA said the recovery process will commence immediately after the Attorney General gives the green light.

In addition, the recovery process will take place under the strict supervision of a panel of experts.

In November, Dr. Saman Ratnayake from the State Ministry of Production, Supply and Regulation of Pharmaceuticals speaking to News 1st said that the company that operated the database (Epic Lanka Technologies) will work on using experts to recover the data.

4 IT experts have been recommended for the recovery process and Dr. Ratnayake said two of them are Sri Lankans and the others are foreign nationals.

The State Ministry of Production, Supply, and Regulation of Pharmaceuticals has appointed a committee to review the credentials of the experts and select the suitable candidate to commence the recovery process.

He said the relevant agreements on recovering the lost data were signed and the company in charge of the data system is required to produce a plan for the successful completion of the recovery.

#DataScam :

On the 3rd of May 2018, the National Medicines Regulatory Authority (NMRA) and Epic Lanka Technologies Private Limited (‘EPIC LANKA’) signed an agreement for a period of five years to provide and implement a document & workflow management system as a service for NMRA.

Accordingly, the NMRA, termed as the employer was required to provide the Lanka Government Network (LNG 2.0) connectivity and On-site security, among other processes.

In addition, Epic Lanka Technologies was to provide 78 laptops, one LED monitor, and 10 wireless Laser Printers to the NMRA, with multiple sources that have confirmed that the agreement is SaaS, or ‘Software as a Service’.

The NMRA, Epic Lanka, and the ICTA – the consultant had thereafter agreed on the Software Requirement Specification and concluded the process with a User Acceptance Test, where NMRA personnel had tested the system on-site in the presence of ICTA personnel.

The total contract price for the total period of 60 months was agreed at just over 29 Mill Rupees (Rs. 29,130,900/- i.e.- Rs. 485,515/- x 60). Until July 2021, for a period of 25 months, the service was delivered.

That is until the infamous #DataScam took place.

According to inside sources, the architecture of the system provided to the NMRA does not specify an ‘official data classification’.

Sources have confirmed that the system provided two storages, one main database and secondary attachments database or the file server.

The main database is where all sensitive data on medicines and medical products are placed, and it is designed to go into auto-backup at midnight daily. The secondary database (File Server) with a capacity of around two terabytes was designed for the uploading of attachments to the sensitive material in JPEG or PDF format, sources have confirmed.

The File Serve will also contain research material for medicines and medical products.

Sources told News 1st that the File Server is not a system agreed to have a backup, as it was designated to hold non-sensitive material and the matter was never flagged at the review meetings for the 25 months until July 2021.

During the first week of July 2021, the NMRA had called for an online support meeting and the requirement, accepted by Epic, was passed down to the team of engineers in charge of the system.

Sources have confirmed that two days later, the NMRA had sent a system message claiming the File Server was not visible and a system inquiry had revealed that the Folder designated as File Server was MISSING.

An internal inquiry into the incident had revealed that the ‘unnamed systems engineer’ had executed the NMRA support required and given a ‘DELETE Command’ to the system.

The Systems Engineer had executed the DELETE command during the weekend.

Sources confirmed that the engineer claimed it was “a mistake” and he had deleted the Original File and not the Test File.

The Software Engineer responsible for deleting files from the eNMRA database on the Lanka Government Cloud was returned to remand custody until the 10th of November, by Colombo Chief Magistrate Buddhika Sri Ragala on Tuesday (2).

The Software Engineer identified as Pramodh Dilupa Ramanayake is charged with deliberately deleting over 11,000 files from the database of the National Medicines Regulatory Authority.

Forensic Investigations have revealed that the deletion of over 11,000 files NMRA files relating to medicines and medicinal drugs was not a mistake and was a deliberate act, the Attorney General’s Department told the Colombo Additional Magistrate’s Court on the 29th of September.