A problem with the HSE’s Covid vaccination portal left the data of up to one million people vulnerable, a security researcher said.
The data at risk included the full names, vaccination status and type of vaccination people received. The issue was discovered in December 2021 by Aaron Costello, security researcher and principal software-as-a-service security engineer at cyber security company AppOmni.
Mr Costello said the issue was due to a “misconfiguration” in the portal. That granted registered users excessive permissions, potentially granting access to sensitive personal identifiable information and the protected health information of other registrants, as well as internal HSE documents.
He said he reported the issue to the HSE in mid-December 2021, with the organisation confirming the problem within a few days. Information provided to the researcher indicated the misconfiguration was resolved shortly after.
Your work questions answered: My hours have been cut but someone new has been hired. Can my employer do this?
Cliff Taylor: How the return of SSIA-style incentives might be on the cards for Irish households
From intern to CEO: does it pay to be a company lifer?
My remuneration ‘was substantial’: The interview transcript Derek Quinlan didn’t want made public
There has been no indication yet that the information was accessed by any users with malicious intent.
The HSE confirmed the problem had arisen, pointing to the “time pressure” the Covid-19 vaccination campaign was under. It said the problem had been remedied the day it was alerted to it.
The breach came just months after over 100,000 patients had their personal data hacked in a major breach of the health service’s computer systems.
“If someone accessed data, we would be able to see this in the detailed logs which we analysed,” the HSE said in a statement.
“Apart from the source who informed us of this issue, there was no unauthorised accessing or viewing of this data,” the HSE said. It said the data accessed by Mr Costello was “insufficient to identify any person without additional data fields being exposed and, in these circumstances, it was determined that a personal data breach report to the Data Protection Commission was not required”.
Sign up for Business push alerts and have the best news, analysis and comment delivered directly to your phone
- Find The Irish Times on WhatsApp and stay up to date
- Our Inside Business podcast is published weekly – Find the latest episode here