Bug in Irish Vaccination Portal Exposed Data of One Million

A significant security flaw in the Irish Health Service Executive's (HSE) COVID-19 vaccination portal, which exposed the vaccination records of approximately a million people, has been disclosed after a two-year delay. The vulnerability, discovered by security researcher Aaron Costello in December 2021, allowed anyone registering on the HSE vaccination portal to access other users' health information.

This information included full names, vaccination details, and reasons for administering or refusing vaccines, among other data. "Thankfully, the ability to see everyone’s vaccination administration details was not immediately obvious to regular users who were using the portal as intended," remarked Costello in a statement shared with TechCrunch.

The portal, developed using Salesforce's health cloud, was found to have granted registered users excessive permissions, leading to the exposure. Costello, who now works as a principal security engineer at AppOmni, highlighted the severity of the flaw, noting that it also compromised access to internal HSE documents.

Despite the potential for misuse, detailed access logs reviewed by the HSE showed that "no unauthorized accessing or viewing of this data" occurred. Thankfully, the HSE responded swiftly to the alert, with spokesperson Elizabeth Fraser stating, "We remediated the misconfiguration on the day we were alerted to it." However, the incident's delayed disclosure has raised questions about transparency.

According to ITPro, the vulnerability was discovered just months after a major ransomware attack on the HSE, which was described by the minister of state for public procurement and eGovernment, Ossian Smyth, as "possibly the most significant cyber attack on the Irish State." This attack led to the shutdown of all HSE IT systems nationwide and caused months of disruption, with costs estimated to exceed €100 million.

This breach highlighted significant security lapses in the handling of sensitive health data. Similarly, in the Netherlands, Coronalab's unprotected database leaked 1.3 million records, including detailed COVID-19 test data and sensitive information. These incidents underscore the urgent need for robust cybersecurity measures in the management of health data.