HSE Error Exposed Over a Million Irish Citizens’ Vaccine Status – Infosecurity Magazine

Protected health information and personal details of over a million Irish citizens were accidently exposed by the Irelands Health Service Executive (HSE) during the COVID pandemic, according to an AppOmni security researcher.

This information included individuals vaccine status and type received, which could have been accessed by anyone who registered to the HSE COVID Vaccination Portal before the end of 2021.

The misconfiguration in the portal also made internal HSE documents publicly available, Aaron Costello, Principal SaaS Security Engineer at AppOmni, revealed in a blog dated March 14, 2024.

The exposed health and personal information included:

Costello discovered the issue in December 2021, and HSE confirmed to him it had been fixed on January 17, 2022.

There is no evidence that the information was accessed by any unauthorized individuals with malicious intent.

Costello explained that he has decided to make the issue public to help educate organizations on the risks of handling sensitive data in SaaS applications.

The HSE vaccination portal was created during the COVID-19 crisis to enable Irish citizens to quickly book vaccine appointments, with users signing up through a self-registration form.

The portal was built on top of the Salesforce platform, in what is known as a Digital Community. These communities are configured to grant all registered individuals a specific profile, which gives them permissions to perform actions on the portals user interface, such as register for a vaccination or view their appointment details.

However, the profile permissions were accidently configured by HSE to grant users access to the Health Cloud object that stored information about other registrants including their vaccination status.

Users were also granted excessive privileges that could enable them to access a folder containing internal HSE documents.

Most users would not have realized they had this level of access because the portal is specifically designed to only show the individuals data, Costello noted.

However, a malicious actor could have exploited the misconfiguration to access and exfiltrate the sensitive information about individuals and HSE.

Costello explained this could have been achieved by simply registering to the Vaccination Portal to be automatically assigned the over-privileged Salesforce profile, then viewing all objects that existed within the Salesforce platform through the API, including those in the Health Cloud application.

From there, a malicious actor could iterate over the list of available objects and attempt to access and download the data within them.

This would have allowed the malicious individual to access both internal HSE documentation, and all vaccine administration records for over a million individuals, Costello explained.

The Irish Times quoted a HSE spokesperson who confirmed the misconfiguration had occurred, and said it was remediated the day it was alerted to the issue.

It highlighted the time pressure of the COVID-19 vaccination program as the cause for the accidental exposure, but reiterated that there was no evidence that a malicious actor accessed the data.

Costello set out the best practices for organizations that have publicly facing content on the Salesforce platform to take to avoid the risk of data exposure:

Costello acknowledged that these actions would have been exceptionally difficult for HSE to manually implement amid the rush to manage the rapid vaccination rollout across the country during the pandemic.

Image credit: Lukassec / Shutterstock.com

Continued here:

HSE Error Exposed Over a Million Irish Citizens' Vaccine Status - Infosecurity Magazine

Related Posts
Tags: