HSE glitch: Full names and vaccination status among data of up to 1 million people at risk

Covid jab status details available to unauthorised users, according to security researcher who discovered the issue

The personal details and vaccination status of up to one million people was left exposed in a HSE cyber lapse.
The personal details and vaccination status of up to one million people was left exposed in a HSE cyber lapse.

A problem with the HSE’s Covid vaccination portal left the data of up to one million people vulnerable, a security researcher said.

The data at risk included the full names, vaccination status and type of vaccination people received. The issue was discovered in December 2021 by Aaron Costello, security researcher and principal software-as-a-service security engineer at cyber security company AppOmni.

Mr Costello said the issue was due to a “misconfiguration” in the portal. That granted registered users excessive permissions, potentially granting access to sensitive personal identifiable information and the protected health information of other registrants, as well as internal HSE documents.

He said he reported the issue to the HSE in mid-December 2021, with the organisation confirming the problem within a few days. Information provided to the researcher indicated the misconfiguration was resolved shortly after.

READ MORE

There has been no indication yet that the information was accessed by any users with malicious intent.

The HSE confirmed the problem had arisen, pointing to the “time pressure” the Covid-19 vaccination campaign was under. It said the problem had been remedied the day it was alerted to it.

The breach came just months after over 100,000 patients had their personal data hacked in a major breach of the health service’s computer systems.

“If someone accessed data, we would be able to see this in the detailed logs which we analysed,” the HSE said in a statement.

“Apart from the source who informed us of this issue, there was no unauthorised accessing or viewing of this data,” the HSE said. It said the data accessed by Mr Costello was “insufficient to identify any person without additional data fields being exposed and, in these circumstances, it was determined that a personal data breach report to the Data Protection Commission was not required”.

Sign up for Business push alerts and have the best news, analysis and comment delivered directly to your phone

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist