A vulnerability in the Moje eZdravie application, which could have enabled unauthorized outsiders to obtain the personal data of more than 390,000 people tested for the new coronavirus in Slovakia was discovered by Slovak security IT company Nethemba. As the company reported on Thursday the data collected and managed by the National Health Information Center (NCZI) were not encrypted and they could access sensitive information without any authentication. There
were also no mechanisms that would prevent the massive download of the data which contain a person's first name, surname, personal birth register number, date of birth, gender, mobile phone number, place of residence, or information about the patient's clinical symptoms. They could also obtain the exact date of sampling, the laboratory that performed the test, the date of acceptance and examination, the types of test or its result.
Nethemba reported this weakness through the official channel to the government's cyber security unit CSIRT on Sunday at 11:30 p.m. The correction was carried out on Wednesday between 16:30 and 16:50. "Only after fixing this weakness we decided to inform the public about the vulnerability," the company said.
On Friday afternoon the general manager of the National Health Information Center (NCZI) Peter Bielik confirmed the existence of the vulnerability in the Moje eZdravie app as described by ethical hackers but said that it was fixed after CSIRT informed the center about it. He adds that the app is independent from the eHealth system which manages the medical records of all patients in Slovakia. It's not clear at the moment if anybody else apart from ethical hackers got access to personal data via the vulnerability in the app.
The Health Ministry has asked NCZI for a report on what happened. "Any leak of such sensitive information as health data must not happen. If a breach of personal data protection rules is proven, the ministry will take appropriate measures towards those responsible," said Health Ministry's spokesperson Zuzana Eliášová on Thursday afternoon.
NCZI finally informed the Personal Data Protection Agency which by Thursday when the news broke had not received any report from it on a security incident related to the aforementioned leak. By law any personal data breach should be reported to the competent authority without undue delay and, if possible, no later than 72 hours after becoming aware of it. The agency monitors the situation in this particular case.
For more on this topic listen to Jonathan McCormick's report from Tuesday's edition of "Slovakia Today".