Pharmacies had access to the data of all people in Austria who used the portal for corona tests.
The web developer Gökhan S. has contributed to the platform Austria is testing discovered a security vulnerability: Every pharmacy that participates in austria-testet.at, was able to retrieve the data from all Corona tests across Austria via the website’s regular API.
Affected datasets were: Name, address, social security number, phone number, email and the Corona test result . Affected people: Potentially hundreds of thousands of people throughout Austria who have registered for a corona test via österreich-testet.at in the past 7 days. That reports epicenter.works. The civil rights organization has fixed the vulnerability together with the team of ORF specific Take a closer look.
“The austria-testet.at platform worked like an ATM, where you have an ATM card and a PIN code, but could then withdraw money from any account,” explains Thomas Lohninger, Managing Director of epicenter.works. The gap is “by design”, according to Lohninger about futurezone. True to the motto: “These are trustworthy healthcare providers, they won’t do anything bad with the data.”
Thomas Lohninger has identified the vulnerability for epicenter.works viewed
© Franz Gruber, Courier
Reported immediately, canceled as a thank you
Gökhan S., who had a job as a web developer at a pharmacy, turned his discovery to the Ministry of Health. He reported the gap immediately after discovering it. It was only when ORF specifically asked the ministry that there was a reaction: the pharmacy where Gökhan S. had worked was excluded from österreich-testet.at. The pharmacy then terminated the employment relationship with Gökhan S. Update: In an earlier version of the article, a symbolic image of an APA pharmacy in Vienna could be seen. This did not show the pharmacy where Gökhan S. had worked.
Statement of the Ministry of Health
The Ministry of Health specifically stated to ORF that it was not a security gap, but a “ unlawful use of internal Documentation systems of an individual pharmacy”. The ministry also confirmed this when asked about futurezone. The pharmacy is the “sole data protection officer” in the context of tests. “The Ministry of Health is therefore not responsible,” it says. The Ministry “regrets this incident, but would like to note that pharmacies – just like doctors in private practice – are a statutory due diligence and a subject to professional secrecy . .”
However, “adjustments have been made to better protect the systems against any illegal to protect the use of individual test sites,” said futurezone. “The Ministry is of course also concerned with the security of health data, for the processing of which other bodies are responsible under data protection law. For this reason, together with the Chamber of Pharmacists optimized the internal system of individual pharmacies and fixed the error mentioned”, according to the ministry.
A check by epicenter.works revealed that it is now no longer possible to access all test results of those who are registered.