[ad_1]
The organisation “misconfigured” a Covid-related database in December of 2021, a spokesperson said, opening the details of more than a million people up to potential exploitation.
In a statement, the health body said no personal data was accessed by hackers or malicious parties. However, it did not report the issue to the Data Protection Commissioner (DPC), which was made aware of the data lapse this week by the Irish Independent and is now examining the issue.
If the DPC determines that a data breach occurred, it could open an investigation into the breach itself and why a breach notice was not made.
The initial security lapse was spotted by an external security researcher, Aaron Costello, who says the IT glitch allowed third parties to access personal information about vaccinated citizens.
In a statement, Mr Costello said the IT vulnerability “allowed individuals to access sensitive personal identifiable information and protected health information of other registrants, as well as internal Health Service Executive documents”.
In a statement, the HSE said it fixed the IT glitch soon after being made aware of the issue by Mr Costello, although it did not say how long the vulnerability had existed.
The security lapse occurred just months after the calamitous IT security attack on the HSE, which disrupted the national healthcare system, cost the taxpayer more than €100m and forced Ireland to rethink its standards in national cybersecurity.
The HSE has blamed “time pressure” to get Ireland’s “Covax” Covid-19 registration database up and running for the security lapse.
The Covax system, which the HSE says is at the centre of the glitch, is an electronic dataset that records Covid-19 vaccinations for all residents in the State.
According to the HSE, it also assists in the planning of vaccination clinics as well as being used for statistical and activity analysis.
“Security considerations were at the forefront of the Covax deployment, however when a system of this nature is put together under time pressure, as was the case as we established the Covid-19 vaccination campaign, misconfigurations can occur,” a spokesperson said.
“In this case, an external source pointed out one misconfiguration which would have required deep technical expertise to exploit. Apart from the source who informed us of this issue, there was no unauthorised accessing or viewing of this data.”
The spokesperson also said the data accessed by Mr Costello “was insufficient to identify any person without additional data fields being exposed and, in these circumstances, it was determined that a Personal Data Breach report to the Data Protection Commission was not required”.
However, Mr Costello said he was able to access enough information to regard it as a serious security vulnerability and express disappointment that the HSE did not disclose the lapse to other authorities.
[ad_2]
——————————————————–