Contents:
Francetest, a company that specializes in the transfer of data from Covid tests performed in French pharmacies to the SI-DEP platform has been involved in an incident where 700,000 Covid test results have been left exposed online.
In addition, sensitive information such as names, dates of birth, addresses, and email addresses, phone, and Social Security Numbers have also been leaked.
According to Mediapart, some security bugs on the Francetest platform led to the information being available to everybody for several months.
The personal data and Covid test results of several hundred thousand people were accessible to all for several months in a few clicks due to several security vulnerabilities on the Francetest platform, a company transferring pharmacists’ data to the SI-DEP file, the file centralizing all test data.
Following the Mediapart warning, which noticed the vulnerability in the Francetest platform’s system, the flaw has been immediately addressed and patched.
The Discovery
The issue came to light when a patient attempted to recover their test results using the link sent by the pharmacist. Thanks to their IT knowledge, they were able to see that something was wrong.
When the patient looked at the URL, they were shocked to see that the open-source content management system WordPress was being utilized to handle confidential information.
The patient immediately became aware of the fact that they could access documents containing patient data through the URL tree and even create an account without being a pharmacist.
Last week, the General Directorate of Health (DGS) reminded the pharmacists via an email about the approved software compatible with SI-DEP, of which Francetest is not a part.
Cyber security expert Gérôme Billois declared:
When you go to a website, it is extremely difficult to know whether it is reliable or not. You always see the words 100% secure. The general public cannot verify that.
This is why there are several regulatory proposals seeking to impose a minimum level of safety and a label, like the CE label.
We need to achieve more and more external recognition, independent of those who created these websites.
According to Francetest, there is no proof that any sensitive patient or pharmacist data was leaked. The warning was meant to let people know that this vulnerability existed but it has been taken care of.