Data Breach Results in the Distribution of Personal Information
Irish citizens who have applied for the Covid vaccine passport are faced with a newly discovered security risk, as personal information has been distributed to the wrong individuals. This data breach has been raising great concern, according to Sinn Fein’s health spokesperson.
In response, Northern Ireland’s Department of Health (DoH) has halted its Covid-19 vaccine passport service (COVIDCert NI).
COVIDCert Provides Vaccinated Individuals With a Digital Certificate
COVIDCert is an online service provided to vaccinated individuals residing in Northern Ireland, separate from the NHS COVID Pass which is used in England and Wales. Individuals are able to receive a digital certificate, confirming their vaccination status. However, it was discovered that individuals were being sent personal information for patients other than themselves.
The Northern Ireland Department of Health reported the incident to UK’s Information Commissioner’s Office (ICO) promptly after discovery, according to regulation. The Department of Health stated that immediate action was taken and that services managing identity have been temporarily disabled until the cause of the breach is determined and it is safe for the public to use again.
Parties not affected by the breach include:
- Applicants (currently up to and including 31/07) who already have their certificate – their apps or paper copies are still operational and valid
- Applicants (to 31/07) who have lodged an application using the COVIDCert NI app for an electronic certificate who have not yet received it – a PDF will be sent
- Applicants (to 31/07) who have lodged an application using the COVIDCert NI app for an electronic certificate who have not yet received it – A PDF will be sent as an interim step
- Applicants who have lodged an application for an electronic certificate who receive a PDF copy instead will be able to
Applicants who lodged an application for an electronic certificate will receive a PDF version instead and will be able to download their electronic certificate by logging in once the issue has been fixed. Applicants who are currently undergoing identity validation in the system can continue with the process. Once they are validated, they will have to wait until the problem has been fixed before continuing further.
The temporary shutdown will result in individuals being locked out of their accounts until the issue is resolved.
What Seems Like a Minor Incident Has Serious Implications
The health industry has been hit by several attacks over the last year, and Ireland’s healthcare system was hit by a crippling ransomware attack just two months ago. The attack impacted all national and local IT systems, and all servers were forced to be taken offline to protect sensitive data. This resulted in a delay of most routine services, although the COVID-19 vaccination program continued to operate. The recent data breach has raised much concern in Northern Ireland following a year of aggressive and increasingly sophisticated attacks.
Colm Gildernew, a Sinn Fein politician serving in Northern Ireland, stated:
“Significant personal information could have been exposed and it was right for the Department [of Health] to advise the Information Commissioner’s Office. The Department must also ensure that those impacted are made aware of the breach and actions being taken to address this issue.”
Thus far, it seems that NI Department of Health has taken all necessary steps to address the breach and are on their way to finding a fix. The timeline for resuming the passport program is not yet known.