The data of clients in the Moje eZdravie app has been critically vulnerable.
The Nethemba IT security firm published a blog post on Thursday claiming that it was able to extract information about more than 130,000 patients who got the COVID-19 test in Slovakia, including their personal identification numbers (birth number) and the results of their coronavirus tests.
According to Nethemba, the data of 390,000 patients were in danger.
The Moje eZdravie app is the official app with information about the coronavirus in Slovakia that allows users to communicate with state authorities, particularly if they suspect they might have been infected with the novel coronavirus.
The ethical hackers from Nethemba reported they have downloaded and analysed a large sample of random data to find that it is from unique records. Based on numeric identificators they have found at least 391,250 valid records, including freshly recorded data about the tested patients.
The leaked information includes the name, surname, personal identification number, date of birth, sex, mobile phone number, place of residence, and e-mail address of those tested.
"This can be abused for sophisticated targeted social engineering attacks, like phishing," the blog of Nethemba reads.
The ethical hackers have also been able to access information about the result of the persons' COVID test, health insurer information and the name of the lab that performed the test.
Nethemba notified the providers about the error in the app and only reported about it once it was fixed on September 16 by 16:50.
Lawyer Peter Kováč from the Kinstellar law firm explained that this was a cyber security incident as well as a violation of personal data protection. The National Health Information Center (NCZI) that runs the app now has to report the violation to the Office for Personal Data Protection.
"The affected persons should be notified too," Kováč told the TASR newswire. In this case, when hundreds of thousands of people are at stake, it is necessary to make sure that the public is informed about the incident.
Kováč expects the leak to result in a high fine.
Officials admit there was a problem
The National Health Information Center admitted that there was a bug in the Moje eZdravie app.
The app’s vulnerability has been eliminated, confirmed NCZI on September 18. Its head Peter Bielik admitted that if the problem had not been discovered there may have been some damage.
The Nethemba company, which had pointed to the problem, promised it will not misuse the obtained data of tested people.